EAP-TLS Authentication with an NPS RADIUS Server

EAP-TLS Authentication with an NPS RADIUS Server

<p>EAP-TLS Authentication with an NPS RADIUS Server </p><p>802.1X/EAP-TLS (Extensible Authentication Protocol-Transport Layer Security), defined in <a href="/goto?url=https://tools.ietf.org/html/rfc5216" target="_blank">RFC 5216</a><a href="/goto?url=https://tools.ietf.org/html/rfc5216" target="_blank">, </a>provides secure authentication methods. Client devices (RADIUS supplicants) and a RADIUS authentication server verify each other's identity by validating the signature on the computer and server certificates that they send one another. </p><p>This authentication method uses an infrastructure that includes a RADIUS authentication server that communicates with an external LDAP database. It also needs a mechanism for installing certificates on the server and all the supplicants, which you can do with a Windows NPS (Network Policy Server) using a GPO (Group Policy Object) to distribute computer certificates and an 802.1X SSID client configuration for wireless access. </p><p>You can also employ the same infrastructure to authenticate users (also referred to as RADIUS supplicants) who submit user names and passwords to the authentication server. </p><p>This document explains how to set up the following components to provide wireless client and user authentication through 802.1X/EAP-TLS: </p><p>•</p><p>(Aerohive) An 802.1X SSID that instructs APs (RADIUS authenticators) to forward authentication requests to an NPS RADIUS server </p><p>•</p><p>(Windows) An NPS RADIUS server that accepts authentication requests from the APs and EAP-TLS authentication requests from clients </p><p>••</p><p>(Windows) A GPO to deploy computer certificates and a wireless network configuration to clients (Aerohive and Windows – optional) An Aerohive and NPS configuration in which different RADIUS attributes are returned based on authentication method (EAP-TLS or PEAP-MS-CHAPv2 in this example) assigning one user profile to clients authenticating by certificate and another to users authenticating by user name/password. </p><p>The Aerohive configuration instructions in this guide are based on HiveManager and HiveOS 6.x. </p><p>Thomas Munzer&nbsp;November 3, 2015 </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 2 </p><p>Contents </p><p></p><ul style="display: flex;"><li style="flex:1">1</li><li style="flex:1">Aerohive Configuration..................................................................................................................... 3 </li></ul><p></p><p>SSID Configuration......................................................................................................................................................................3 </p><p>Create an 802.1X SSID........................................................................................................................................................3 Configure the RADIUS server.............................................................................................................................................4 Add a Default User Profile..................................................................................................................................................5 </p><p></p><ul style="display: flex;"><li style="flex:1">2</li><li style="flex:1">Windows Configuration ..................................................................................................................... 7 </li></ul><p></p><p>NPS Configuration for EAP-TLS Authentication ......................................................................................................................7 </p><p>Identify RADIUS Clients........................................................................................................................................................7 Define a Network Policy.....................................................................................................................................................9 </p><p>GPO for Certificate Enrollment...............................................................................................................................................13 </p><p>Create a New Certificate Template..............................................................................................................................14 Publish the New Certificate Template...........................................................................................................................16 Create a New Group Policy for Auto-enrollment........................................................................................................17 </p><p>GPO for Wireless Access..........................................................................................................................................................19 </p><p></p><ul style="display: flex;"><li style="flex:1">3</li><li style="flex:1">Optional Configuration.................................................................................................................... 23 </li></ul><p></p><p>Allow EAP-TLS for Corporate Access and PEAP-MS ChapV2 for BYOD...........................................................................23 </p><p>User Profile...........................................................................................................................................................................23 NPS Rule ..............................................................................................................................................................................26 </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 3 </p><p>1 Aerohive&nbsp;Configuration </p><p>The complete setup for 802.1X/EAP-TLS involves the configuration of Aerohive devices and an NPS RADIUS server. For the Aerohive side of the configuration, you simply add an 802.1X SSID to a network policy and configure authentication parameters to point APs to the NPS RADIUS server for the authentication of wireless clients and apply user profiles to their traffic. (You can apply a single default user profile or multiple profiles based on the RADIUS attributes returned.) In a later section, the steps to configure the NPS RADIUS server are explained. </p><p>SSID Configuration </p><p>This section explains how to add an 802.1X SSID, its RADIUS server parameters, and user profiles to a network policy. </p><p>Create an 802.1X SSID </p><p>Define an SSID profile and add it to a network policy. 1. Navigate&nbsp;to your network policy, click <strong>Choose </strong>next to <em>SSIDs</em>, and then click <strong>New </strong>in the <em>Choose SSIDs </em>dialog box that appears. </p><p>2. In&nbsp;the <em>New SSID </em>panel that appears, enter a name in the Profile Name field, which automatically enters the same name in the SSID field, select <strong>WPA/WAP2 802.1X (Enterprise) </strong>for access security, and then click <strong>Save</strong>. </p><p>3. In&nbsp;the <em>Choose SSIDs </em>dialog box, highlight your new SSID, and then click <strong>OK </strong>to add it to the network policy. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 4 </p><p>Configure the RADIUS server </p><p>Configure the information that the Aerohive RADIUS clients (also referred to as RADIUS authenticators or network access servers) need to forward authentication requests from clients (RADIUS supplicants) to the RADIUS authentication server. </p><p>1. Click&nbsp;&lt;<strong>RADIUS Settings</strong>&gt; and then click <strong>New </strong>in the <em>Choose RADIUS </em>dialog box that appears. </p><p>2. In&nbsp;the <em>New AAA RADIUS Client </em>dialog box, enter a name for your AAA RADIUS client object, the IP address or domain name of your RADIUS server, and the shared secret that the APs use to authenticate themselves to the server and verify the integrity of the RADIUS messages that they exchange with each other. </p><p><em>Note: The shared secret must be the same on both the access points and RADIUS server. You can define one primary RADIUS server and up to three backup servers. All of them can be deployed on Aerohive devices, or you can use a mix of external RADIUS servers (NPS/IAS, FreeRADIUS, ...) and embedded RADIUS servers. </em></p><p>3. Click&nbsp;<strong>Apply </strong>to save the RADIUS server settings and apply them to the RADIUS client configuration, and then click <strong>Save </strong>to save the entire RADIUS client configuration object. </p><p>4. Highlight&nbsp;the RADIUS client in the <em>Choose RADIUS </em>dialog box, and then click <strong>OK </strong>to add it to the SSID configuration. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 5 </p><p>Add a Default User Profile </p><p>Add a default user profile to the SSID. User profiles define how Aerohive devices process traffic from and to the wireless clients that connect to them. This includes the VLAN, firewall policy, QoS policy, tunnel policy, and so on. </p><p><em>Note: It is possible to add multiple user profiles to the SSID. You can see how to link an Active Directory computer or user group to a user profile and assign them to different supplicants in </em><a href="#23_0"><em>"Optional Configuration" on </em></a><em>page </em><a href="#23_0"><em>23. </em></a></p><p>1. Click&nbsp;<strong>Add/Remove </strong>in the User Profile column. 2. In&nbsp;the <em>Choose User </em>Profiles dialog box that appears, click New. 3. Create&nbsp;a new user profile containing its name, attribute number, default VLAN, and other settings that you want to apply to the wireless clients accessing the network, and then click <strong>Save</strong>. </p><p>4. With&nbsp;the <em>Default </em>tab active in the <em>Choose User Profiles </em>dialog box, highlight <strong>EAP-TLS(1) </strong>and then click <strong>Save</strong>. <br>If the RADIUS server returns an ACCESS-ACCEPT message with attributes indicating user profile 1, or if it returns an ACCESS-ACCEPT message without any attributes, the AP places the client in this default user profile. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 6 </p><p>5. Click&nbsp;<strong>Continue </strong>to save the changes and advance to the <em>Configure and Update Devices </em>panel where you can upload the configuration to your Aerohive devices. </p><p><em>Note: Ensure the network policy contains proper settings for the management and native VLANs and NTP server. Certificate validity checks rely on the authentication server, APs, and clients having accurate time settings. </em></p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 7 </p><p>2 Windows&nbsp;Configuration </p><p>This section provides an overview of the Windows server configuration. It explains how to configure the NPS to perform EAP authentication and how to create a GPO (Group Policy Object) that automatically deploys a computer certificate and wireless configuration on wireless clients when they join the Active Directory domain. </p><p><em>Note: GPOs allow you to manage and configure parts of Windows operating systems and users' settings from a centralized management system. </em></p><p>NPS Configuration for EAP-TLS Authentication </p><p>This example explains the minimum configuration needed for an NPS to accept EAP-TLS requests for the authentication of wireless clients and to include in its responses to successfully authenticated devices the attributes that Aerohive APs need to assign specific user profiles to them. </p><p>To perform EAP authentication, the following services have to be installed and configured on the Active Directory domain: </p><p>•••</p><p>Active Directory Certificate Authority Network Policy Server </p><p><em>Note: Because this section describes the minimum number of required configuration steps, you might have more to configure for your domain. </em></p><p>Identify RADIUS Clients </p><p>So that the NPS RADIUS server will accept authentication requests from APs, create a NAS (network access server) object in the NPS. When APs contact it, the NPS can identify them as valid RADIUS clients because their IP addresses or DNS domain names and shared secrets will match those you set in the NAS object. </p><p>1. Open&nbsp;the <em>Network Policy Center </em>console (nps.msc). 2. To&nbsp;create a new RADIUS client, expand <em>RADIUS Clients and </em></p><p><em>Servers</em>, right-click <strong>RADIUS Clients</strong>, and then click <strong>New </strong>in the </p><p>pop-up menu that appears. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 8 </p><p>3. In&nbsp;the <em>New RADIUS Client </em>dialog box that appears, enter the following and then click <strong>OK</strong>: <br><strong>Friendly Name: </strong>Enter a name for the RADIUS client object. You can later refer to it when defining a condition in an NPS rule. <strong>Address (IP or DNS)</strong>: Enter an individual host IP address, network IP address, or DNS domain name of the RADIUS client. <strong>Shared secret</strong>: Enter the same case-sensitive text string as the shared secret that you previously entered in the </p><p><em>AAA RADIUS Client </em>dialog box in HiveManager. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 9 </p><p>Define a Network Policy </p><p>The NPS network policy rule determines how the NPS will treat the authentication requests it receives. For each rule, you define two elements—conditions and constraints: </p><p>•</p><p><strong>Conditions</strong>: Every network policy must have at least one configured condition. The NPS provides many conditions groups that define the properties that the connection requests it receives must have to match the policy. </p><p>•</p><p><strong>Constraints</strong>: Constraints are additional (and optional) network policy parameters. Constraints differ from network policy conditions in one substantial way. When a condition does not match a connection request, the NPS continues to evaluate other configured network policies in search of a match for the connection request. However, when a constraint does not match a connection request, the NPS does not evaluate additional network policies. It rejects the connection request and the user or computer is denied network access. </p><p>1. Open&nbsp;the Network Policy Center console (nps.msc). 2. Expand&nbsp;<em>Policies</em>, right-click <strong>Network Policy</strong>, and then click <strong>New </strong>in the pop-up menu that appears. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 10 </p><p>3. Enter&nbsp;a name in the Policy name field and then click <strong>Next</strong>. 4. Add&nbsp;the conditions that the NPS requires to apply this network policy to wireless clients joining the Active <br>Directory domain. At a minimum, you must specify a machine group containing the computers that will be connecting to the 802.1X SSID. </p><p>You can also limit this rule to a specified NAS port type such as “Wireless - IEEE 802.11” for APs. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 11 </p><p><strong>Limiting an NPS Rule to a Single SSID </strong></p><p><em>If you want to limit this rule to a specific SSID regardless of NAS device, add the Called Station ID condition with a wildcard for the NAS and the exact name of the SSID. Set the values as follows: </em></p><p>&lt;NAS_ID&gt;:&lt;SSID&gt; </p><p><em>For example, to limit the rule to the “Aerohive-Lab” SSID, define the condition like this: </em></p><p>*:Aerohive-Lab$ </p><p></p><ul style="display: flex;"><li style="flex:1"><em>Value </em></li><li style="flex:1"><em>Description </em></li></ul><p></p><ul style="display: flex;"><li style="flex:1"><em>*</em></li><li style="flex:1"><em>A wildcard so that the NPS does not &nbsp; limit this request to a specified NAS </em></li></ul><p><em>Separator between the NAS ID and the SSID name SSID name </em><br><em>: Aerohive-Lab </em></p><ul style="display: flex;"><li style="flex:1"><em>$</em></li><li style="flex:1"><em>Indicates the end of the SSID name to avoid connections from other SSIDs that include </em></li></ul><p><em>this text string as part of their name, such as “Aerohive-Lab-1X” for example </em></p><p>5. Click <strong>Next </strong>to advance to the access permission section, select <strong>Access granted</strong>, and then click <strong>Next </strong>again. </p><p>6. To&nbsp;select the EAP types, click <strong>Add </strong>and then select <strong>Microsoft: Smart Card or other certificate </strong>as the </p><p>authentication method. This corresponds to the EAP-TLS authentication method. </p><p>7. Clear&nbsp;the check boxes for <strong>Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) </strong>and <strong>Microsoft Encrypted </strong><br><strong>Authentication (MS-CHAP) </strong>and then click <strong>OK</strong>. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 12 </p><p><em>Note: If you want to use the RADIUS Test tool in HiveManager, you must select </em><strong>Microsoft Encrypted Authentication version 2 (MS-CHAP-v2)</strong><em>. The RADIUS test tool only tests RADIUS connectivity through an MS- CHAP-v2 request. It does not test the EAP method. </em></p><p>8. Click&nbsp;<strong>Next </strong>and then configure the attributes returned with the Access-Accept message. On the <em>Settings </em>tab, click <strong>Standard</strong>, and in the <em>RADIUS Attributes </em>section, replace the default RADIUS attributes with the following to link authenticated devices to a specific user profile: </p><p><strong>Tunnel–Medium-Type</strong>: <strong>IP (IP version 4) Tunnel-Type</strong>: <strong>Generic Route Encapsulation (GRE) </strong></p><p><strong>Tunnel-Pvt-Group-ID</strong>: &lt;attribute&nbsp;number of the EAP-TLS user profile, which is 1 in this example&gt; </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 13 </p><p><em>Note: You can also define the AVPs (attributes value pairs) to send only the VLAN attribute to the wireless client. In this case, replace the previous attributes with these: Tunnel–Medium-Type: 802 (6) Tunnel-Type: VLAN (13) Tunnel-Pvt-Group-ID: &lt;VLAN ID for the wireless clients&gt; </em></p><p>9. Click&nbsp;<strong>Next </strong>and save the policy. </p><p><em>Note: If the </em><strong>Tunnel-Pvt-Group-ID </strong><em>sent by the RADIUS server does not match the EAP-TLS attribute number, the station will be </em><strong>disconnected</strong><em>. </em></p><p>GPO for Certificate Enrollment </p><p>You will create two GPOs (group policy objects). The first one is for certificate enrollment. It allows every computer in the domain to get a computer certificate automatically. Each computer will use its certificate to authenticate itself when connecting to the SSID. </p><p>Setting up certificate enrollment involves the following steps: </p><p>•••</p><p>Creating a certificate template and enabling it for auto-enrollment Publishing the new template Creating a GPO so computers will automatically request a certificate as they join the Active Directory domain <br>Although the example below is based on Windows Server 2012 R2 with CA (certificate authority) services installed, the steps apply to previous versions as well. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 14 </p><p>In this example, you create a new GPO for the Workstations OU, where the domain laptops are stored in Active Directory. </p><p><em>Note: To support certificate auto-enrollment, Certificate Services must be deployed on your Active Directory server. </em></p><p>Create a New Certificate Template </p><p>The Windows Certificate Authority bases each certificate it issues on a template. This template defines all certificate parameters, including its validity period and automatic enrollment. 1. Open&nbsp;the <em>Certificate Templates </em>console (certtmpl.msc), right-click <strong>Computer Template</strong>, and then click </p><p><strong>Duplicate Template</strong>. </p><p>2. On&nbsp;the <em>General </em>tab in the <em>Properties of New Template </em>dialog box, rename the template display name and then click the <em>Security </em>tab. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 15 </p><p>3. On&nbsp;the <em>Security </em>tab, select <strong>Domain Computers (&lt;DOMAIN&gt;\Domain Computers)</strong>. In the <em>Permissions for Domain </em><br><em>Computers </em>section, select <strong>Read</strong>, <strong>Enroll</strong>, and <strong>Autoenroll</strong>. Click <strong>OK </strong>to save the certificate template. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 16 </p><p>Publish the New Certificate Template </p><p>Now that you have created a certificate template, you must publish it so it can be used to issue new certificates. 1. Open&nbsp;the <em>Certification Authority </em>console (certsrv.msc), right-click <strong>Certificate Templates</strong>, and then click <strong>New &gt; </strong></p><p><strong>Certificate Template to Issue</strong>. </p><p>2. Select&nbsp;the template you created, which in this example still uses the default display name <em>Computer AutoEnroll</em>, </p><p>and then click <strong>OK</strong>. </p><p><a href="/goto?url=http://www.aerohive.com/techdocs" target="_blank">To learn more about Aerohive products, visit www.aerohive.com/techdocs </a></p><p>EAP-TLS Authentication with an NPS RADIUS Server | 17 </p><p>Create a New Group Policy for Auto-enrollment </p><p>Now you can create a GPO that configures domain computers to request new computer certificates. 1. Open&nbsp;the <em>Group Policy Management </em>console (gpmc.msc), right-click <strong>Workstations</strong>, and then click <strong>Create a </strong></p><p><strong>GPO in this domain, and Link it here</strong>. </p><p>2. Enter&nbsp;a name for the new group policy object, such as <em>Certificate AutoEnroll</em>, and then click <strong>OK </strong>to save it. 3. To&nbsp;modify the GPO you just created, right-click it and then click <strong>Edit</strong>. </p>

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    29 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us