WLAN with 802.1x Radius/NPS Authentication

Good day everyone!

If you want/have to implement wireless networks in companies you need to secure them more than your home WLAN. In this case, you need to use a radius server for this (so called WPA-Enterprise or WPA2-Enterprise Authentication with Protected EAP. I will use a Microsoft NPS (network policy server) on a Microsoft Windows Server 2016 OS. This is my test environment:

  • NPS Server 192.168.91.23
  • aruba IAP-205H 192.168.91.201
  • aruba IAP-205H 192.168.91.202
  • aruba Virtual Controller IP 192.168.91.200
  • SSID “Networkguy-Office” with authentication of computer-group “Domain Computers”
  • SSID “Networkguy-BYOD” with authentication of user-group “GL_WLAN-Access-BYOD”

I combined the aruba access points to a virtual controller and configured the radius server “PUCK” under “Security”. The presharedkey secures the connection between the AP and the NPS:

configure the WLAN controller or the instant access points as Radius Clients on the NPS:

choose WPA2 Enterprise in your SSID options:

do differ the SSIDs at the authentication, we need to manually configure the called-station-id at the aruba virtual controller. Cisco Aironet WLCs do this automatically. To configure the called-station-id, we need to connect via SSH to the virtual controller IP address because you can’t configure this by GUI. We will use a colon as the delimiter:

00:0b:86:fe:31:da# configure terminal
We now support CLI commit model, please type "commit apply" for configuration to take effect.
00:0b:86:fe:31:da (config) # wlan ssid-profile Networkguy-BYOD
00:0b:86:fe:31:da (SSID Profile "Networkguy-BYOD") # called-station-id include-ssid delimiter :
00:0b:86:fe:31:da (SSID Profile "Networkguy-BYOD") # end 00:0b:86:fe:31:da# commit apply committing configuration… configuration committed.

now we can configure the NPS rules. I used “aruba” as a NAS-identifier and .*:Networkguy-BYOD$ as the called-station-id. Change “Networkguy-BYOD” with your SSID name:

your NPS server needs an computer-auth-certificate, typically from the Domain Root Certification Authority:

our Bring your own Device (BYOD) policy is ready.

You can now configure your computerbased-auth policy. I always configure a network for all domain computers with access to internal LAN and a “Bring your own device” WLAN for employee-devices with internet-only access based an an active directory group.

I connected my iPhone to the “Networkguy-BYOD” WLAN with success:

 

Feel free to ask in the comments. Have a nice day 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.