Use the 802.1X Wizard to Configure NPS Network Policies
Applies To: Windows Server 2008, Windows Server 2008 R2
Follow these steps to create the connection request policies and network policies required to deploy 802.1X-capable Ethernet switches as Remote Authentication Dial-In User Service (RADIUS) clients to the RADIUS server running Network Policy Server (NPS).
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
After you run the Configure 802.1X wizard, the following policies are created:
One connection request policy
One network policy
You can run the Configure 802.1X wizard every time that you have to create new policies for 802.1X authenticated access.
Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.
To create policies for 802.1X authenticated wired access by using the Configure 802.1X wizard
Open the NPS Microsoft Management Console (MMC) snap-in. If it is not already selected, click NPS (Local). If you are running the NPS snap-in and want to create policies on a remote NPS server, click that server instead.
In Getting Started and Standard Configuration, select RADIUS server for 802.1X Wireless or Wired Connections.
Click Configure 802.1X. The Configure 802.1X wizard opens.
On the Select 802.1X Connections Type wizard page, in Type of 802.1X connections, select Secure Wired (Ethernet) Connections, and in Name, type a name for your policy, or leave the default name. Click Next.
On the Specify 802.1X Switches wizard page, in RADIUS clients, all 802.1X switches and wireless access points (APs) that you have added as RADIUS clients in the NPS snap-in are shown. Do any of the following:
To add network access servers (NASs), such as 802.1X-capable switches, in RADIUS clients, click Add, and then, in New RADIUS client, enter the information for: Friendly name, Address (IP or DNS), and Shared Secret.
To modify the settings for any NAS, in RADIUS clients, select the AP or switch for which you want to modify the settings, and then click Edit. Modify the settings as required.
To remove a NAS from the list, in RADIUS clients, select the NAS, and then click Remove.
All additions, modifications, and deletions that you make in the Configure 802.1X wizard to RADIUS clients are reflected in the NPS snap-in (in the RADIUS Clients node, under NPS / RADIUS Clients and Servers). For example, if you use the wizard to remove an 802.1X switch, the switch is also removed from the NPS snap-in.
Click Next. On the Configure an Authentication Method wizard page, in Type (based on method of access and network configuration), do one of the following:
For authentication by using Extensible Authentication Protocol–Transport Layer Security (EAP-TLS), select Microsoft: Smart Card or other certificate, click Configure, click OK, and then click Next.
For authentication by using Protected Extensible Authentication Protocol–Transport Layer Security (PEAP-TLS), select Microsoft: Protected EAP (PEAP). In Eap Types, click Add, click Smart Card or other certificate, click the Move Up button to position a smart card or other certificate at the top of the list, click OK, and then click Next.
For secure password authentication by using Protected Extensible Authentication Protocol–Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In Eap Types, click Add, click Secured password (EAP-MSCHAP v2), click the Move Up button to position the secured password authentication type at the top of the list, click OK, and then click Next.
If you receive an error message that states that a certificate cannot be found for use with the authentication method, but you have configured Active Directory Certificate Services (AD CS) to automatically issue certificates to Routing and Remote Access service (RRAS) and Internet Authentication Service (IAS) servers on your network, first make sure that you have registered NPS in Active Directory Domain Services. Then follow these steps to update Group Policy: Click Start, click Run, type gpupdate in the Open text box, and then press ENTER. When the command returns results that indicate both user and computer Group Policy have been updated successfully, select Microsoft: Protected EAP (PEAP) again, and then click Configure.
If after refreshing Group Policy you continue to receive the error message stating that a certificate cannot be found for use with the authentication method, the certificate is not displayed because it does not meet the minimum server certificate requirements as documented in Foundation Network Companion Guide: Deploying Server Certificates, available online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=131325. If this happens, you must stop NPS configuration, revoke the certificate issued to your NPS, and then follow the instructions in Foundation Network Companion Guide: Deploying Server Certificates to configure a new certificate.
In Specify User Groups, click Add, and then type the name of the security group that you configured for your wired clients in the Active Directory Users and Computers snap-in. For example, if you named your wired security group Wired Group, type Wired Group. Click Next.
Click Configure, to configure RADIUS standard attributes and vendor-specific attributes for a virtual LAN (VLAN) as needed, and as specified by the documentation that was provided by your switch hardware vendor. Click Next.
Review the configuration summary details, and then click Finish.