Configure RADIUS Authentication in Wi-Fi Cloud N Troubleshooting
Total Page:16
File Type:pdf, Size:1020Kb
Wi-Fi Cloud Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS Copyright © 2018 WatchGuard Technologies, Inc. All rights reserved. ii WatchGuard Technologies, Inc. Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS You can use WatchGuard Wi-Fi Cloud APs to authenticate Wi-Fi users with their Active Directory credentials. RADIUS server authentication with 802.1x requires the WPA2 security setting on your SSID. If you have an existing RADIUS server you can integrate the server with Active Directory for authentication and access management, or use the Microsoft NPS (Network Policy Server). In this example, we use NPS. n Each WatchGuard AP that will perform 802.1x authentication must be configured as a client on the RADIUS server. The AP must be configured with a static IP address or use DHCP reserved addresses. n All authenticating APs will need to be able to contact the IP address and port for the RADIUS server n The server must host a certificate from a Certificate Authority (CA) trusted by clients on the network n WPA2-Enterprise with 802.1x authentication can be used to authenticate wireless clients. The wireless client authenticates with the RADIUS server using any EAP method configured on the RADIUS server. Configuration Steps n Add WatchGuard APs as RADIUS Clients in NPS n Define a Network Policy in NPS n Configure RADIUS Profiles in Wi-Fi Cloud n Configure RADIUS Authentication in Wi-Fi Cloud n Troubleshooting Add WatchGuard APs as RADIUS Clients in NPS To add WatchGuard APs as RADIUS Clients in NPS: 1. Open the NPS console. 2. Go to the RADIUS Clients and Servers section. 3. Right-click RADIUS Clients, then select New. n Select the Enable this RADIUS Client check box. n In the Friendly Name text box, type a descriptive name for the RADIUS client. n In the Address text box, type the IP address of the AP to add as a RADIUS client. (The AP must have a static IP address or use DHCP reservations.) n In the Shared Secret text box, specify a shared secret that acts as a password between the RADIUS server and client. You will use this same shared secret when you configure a RADIUS server profile in Wi-Fi Cloud. You can manually enter a shared secret or automatically generate the shared secret. Wi-Fi Cloud Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS 1 Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS 5. Repeat this procedure for each WatchGuard AP that will perform 802.1x authentication on your wireless network. 2 WatchGuard Technologies, Inc. Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS Define a Network Policy in NPS You must configure a Network Policy on the NPS server for wireless connections: 1. Open the NPS console. 2. Go to the Policies section. 3. Right-click Network Policies, then select New. 4. Configure these options in the Overview tab: n In the Policy name text box, type a name for this policy. n Select the Policy Enabled check box. n In the Access Permission section, select Grant Access. n In the Network connection method section, set the Type of network access server to Unspecified. 5. Configure these options in the Conditions tab: n (Optional) Add the Windows Groups condition and select the Active Directory user groups that can use this policy. This enables you to limit which clients can connect by their group membership. You can also select the Domain Users group to allow access for all authenticated domain users. n (Optional) Add the NAS Port Type condition with the value “Wireless - IEEE 802.11" or "Wireless - Other” to restrict the policy to wireless communications. Wi-Fi Cloud Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS 3 Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS 6. Configure these options in the Constraints tab: n In the Authentication Methods section, you must allow EAP authentication for wireless 802.1x authentication. There are multiple different types of EAP authentication available with NPS (EAP-MSCHAPv2, PEAP, Microsoft Smart Card or Other Certificate). Not all EAP types require certificates. If you choose a type that requires a certificate, you must create a Domain Controller certificate type on Windows Server for use with 802.1x authentication. Wireless authentication does not work with other non-EAP authentication types. 4 WatchGuard Technologies, Inc. Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS 7. Configure any advanced options in the Settings tab if required in your environment. Wi-Fi Cloud Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS 5 Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS Configure RADIUS Profiles in Wi-Fi Cloud 1. Open Manage. 2. Select Device Configuration > RADIUS Profiles. 3. Click Add RADIUS Profile. 4. Type the details for the primary authentication server. This is the IP address and shared secret of the RADIUS server. 5. Click Save. 6. Repeat these steps to type the details for a secondary authentication server. 6 WatchGuard Technologies, Inc. Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS Configure RADIUS Authentication in Wi-Fi Cloud 1. Open Manage. 2. Select Configuration > Device Configuration > SSID Profiles. 3. Select the SSID Profile for the APs to configure with RADIUS authentication. 4. Expand the Security section. 5. For the Security Mode, select WPA2, then select 802.1X. 6. In the RADIUS Authentication section, select the primary and secondary RADIUS server profiles you created in the previous step. 7. Save the SSID Profile. Wi-Fi Cloud Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS 7 Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS Troubleshooting If you encounter issues with wireless client authentication with RADIUS, check the following: n Make sure that WatchGuard APs can communicate with the RADIUS server and that UDP ports 1812 and 1813 are open for communication. n Make sure the Shared Secret on the SSID Profile assigned to the AP matches the RADIUS client configuration on the RADIUS server. n Examine the successful and failed authentication attempts in the RADIUS server logs to help you narrow down the issue. n You can capture connection logs for the affected wireless client and check the RADIUS authentication flow by examining these messages. To capture connection logs: 1. Open Manage. 2. Select Monitoring > Wi-Fi, then select the Client tab. 3. Select the client. 4. Select More > Connection Logs. 5. Type the SSID name, then click Show APs. 6. Select the AP with the strongest signal (best RSSI value) for the client. 7. Select Start Troubleshooting and try to connect with the client. In the client connection logs, you may see messages such as: <8005 No response from RADIUS authentication server while authenticating client>. This indicates that the RADIUS server is not responding to the request. You may also see a reject message from the RADIUS server: <1841 Received ACCESS REJECT from Authentication server> <1847 DOT1X authentication failed> Check the login credentials and authentication mechanism used on the client side and the corresponding network policies on the RADIUS server. Common Configuration Errors These common configuration errors may result in failed RADIUS authentication attempts: n APs have not been added as RADIUS clients on the RADIUS server n APs are receiving their IP addresses dynamically through DHCP n Incorrect RADIUS Secret set in the SSID Profile or in the RADIUS client configuration on the RADIUS server n Network or Connection Request Policy on the NPS server is not configured correctly n Mismatch in Authentication Settings n Incorrect credentials entered by the client n No certificate installed on the RADIUS server or the certificate has expired If a certificate is required for EAP authentication n A Root Certificate is not added to the client device n Common error codes and possible solution 8 WatchGuard Technologies, Inc. Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS Error Codes with Windows NPS The error codes detailed here are specific to Windows NPS, but the configuration checks should be performed regardless of the RADIUS server vendor: Event ID 6273 with reason code 23 (bad/missing certificate) Connection issues may occur because a digital certificate is not installed on the RADIUS server or an expired certificate. A certificate must be installed or renewed on your NPS server to establish TLS connections. Event Viewer: An error occurred during the Networks Policy Server use of the Extensible Authentication Protocol (EAP) Check the EAP log files for errors. Event ID 13: A RADIUS message was received from the invalid RADIUS client (APs not added as clients) WPA2 with 802.1x authentication requires that APs are added as RADIUS clients on your NPS Server. Your APs must have a static IP address or reserved DHCP IP address. Event ID 18: An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid (bad shared secret) When configuring the RADIUS server in an SSID Profile, you must type a shared secret. This value must match the shared secret configured when you added your APs as RADIUS clients on NPS. Event ID 6273 :Reason Code 48 (bad network policy) A Network Policy is incorrectly configured on your NPS server. It is also possible that the network policy order is not correct and while processing the client through the policies, there was no policy match. Event ID 6273: Reason Code 66 (Auth settings mismatch) Authentication settings incorrectly configured in the Network Policy on your NPS server.