So I finally got my Wireless Access Point (an Apple AirPort) authenticating
off of Active Directory-integrated LDAP in Server 2008 (which is called NPS
now). So now I authenticate wireless users individually, through Active
Directory, rather than using a shared secret. WPA2 Enterprise…it overfloweth
with w00tn3ss.
So here are the basic steps, and I can provide more detail if you have
questions in the comments.
First install Active Directory. Easy stuff.
Next, since the whole point of this is to have
unique user authentication, you need to have…users. So create them as
usual but be sure to add them to a new group like “RADIUS” or something, and
ensure that they have dial-in access within their user account. I used
“RADIUS Users” because I’m creative and eccentric.
This is what replaces IAS in Server 2008. The install is pretty straight
forward; it’s the policy that’s the trick.
I’m using PEAP right now, although I haven’t yet researched the ideal setup.
Soon, though, and if you have any input (or good reading) on this let me
know.
You also want to set the authentication rule to Windows Authentication
within the policy, and then select your group out of Active Directory that
you placed your users in.
Be sure to setup a RADIUS client within the NPS configuration, and enter the
info for your access point rather than for your individual clients.
Tell your wireless access point to use WPA2 Enterprise, and configure the
RADIUS info to point to your domain controller that you just set up NPS on.
Enter the shared secret you configured during the NPS piece.
Get a weekly breakdown of what’s happening in security and tech—and why it matters.
Connect to your AP as you normally would, and when prompted you will enter
your Active Directory username and password. I’ve chosen PEAP as my
authentication protocol pending more research on which is ideal:
And that’s about it. Connect to your AP and enter your credentials.
Now when your friends come over you simply make them an account in Active
Directory and they have wireless access using their own username and
password. And when they leave you disable their account until next time.
This way you get all the added benefits of password expiration and stuff
like that.
Oh, and if any part of this fails, check the NPS logs on your DC. Logs are
much improved in 2008 vs. previous versions of Windows, and it’s pretty easy
to troubleshoot. I saw a lot of errors with authentication types not being
supported before I figured out which to use.
Bonus: If you’re one of the cool kids you’ll have your AD and AP logs
going into
Splunk
so you can see (and alert on) attempts to access your wireless network from
accounts and MAC addresses you don’t recognize. More on that later.
Anyway, enjoy, and hit me up with any questions. ::
Meet Mary — Your Smart AI ICT Teacher for O-Level Secondary Education in Uganda! Welcome…
Journey Through Faith: An Introduction to Senior Three Islamic Religious EducationWelcome, students, to an enriching…
Meet Isha Karungi — Your Smart AI Islamic Studies Teacher for O-Level! Welcome to the…
Having studied Spanish for over 6 years, I knew what dulce de leche meant. Sweet.…
I found kiwis on sale. Five for $1! In the middle of winter. In January.…
An experience. That’s what Ghirardelli is to me. For many years, San Francisco was a…
Leave a Comment