Got to big up FAT OF THE LAN for this one.
When prompted for which type of Certificate Authority to install, choose “Enterprise”.
When prompted for CA Type, select “Root CA” and click “Next”.
When prompted to Set Up Private Key select “Create a new private key” and click “Next”.
When prompted to Configure Cryptography for CA, accept the defaults and click “Next” for the rest of the conformation screens.
Request Certificates (optional)
Now that we have our Certificate Authority (CA) up and running we may want to request a certificate for our Authentication Server.
We’ll create a Microsoft Management Console (MMC) that will allow us to request and install the certificate for our server. Press the “Start” button and enter “MMC” in the command field to open the MMC. Next we’ll add the Certificate (For Local Computer) snap-in by clicking “File” and choosing “Add/Remove Snap-in”. Select “Certificates” and click “Add”.
Now be sure to select “Computer Account” and click “Next”.
Choose “Local Computer”, click “Finish” and “OK”.
TIP: While you’re here you might as well add the “Certificate Authority” snap-in and save this MMC to your desktop because you’ll need it again in the future.
To request a certificate for your server (if you don’t want to use the default certificate) expand “Certificates (Local Computer Account)”, “Personal”, and right-click “Certificates” and select “All Tasks”, “Request New Certificate…”
Click through the Enrollment screens choosing the settings you desire for your certificate.
Installing Network Policy and Access Services
In Windows 2008 Server you can no longer just install the Internet Authentication Service (IAS) and have RADIUS functionality. You must now install Network Policy and Access Services, which now include everything from earlier versions of Windows server such as RRAS/IAS/etc,… but now includes NAP (think NAC for Windows). We will be installing and configuring just enough to enable PEAP and RADIUS functionality with our Aruba controller. So once again head to the Server Manager and “Add a Role” selecting “Network Policy and Access Services” and click through the confirmation screen.
Select “Network Policy Server”, “Routing and Remote Access Services”, “Remote Access Service” and “Routing”. Click “Next”, click through the confirmation screen and click “Install”.
Installation will take a couple of minutes and present you with an install summery. Just click “Close”.
Now that NPS is installed, press the “Start” button and enter “nps.msc” in the command field. The NPS MMC should open up allowing you to select the “RADIUS server for 802.1X Wireless or Wired Connections” Installation Wizard from the “Standard Configuration” pull-down menu and click “Configure 802.1X”.
From the “Select 802.1X Connections Type” page, select “Secure Wireless Connections” and click “Next”.
From the “Specify 802.1X Switches” screen click “Add…” and enter the settings for your Aruba controller and press “OK”.
For the “Configure an Authentication Method” screen select “Microsoft Smart Card or other certificate” for EAP-TLS or “Microsoft Protected EAP (PEAP)” for PEAP. I will be selecting PEAP for this example and click “Configure…”
Select the appropriate certificate to use for this server. In this case we’ll use the “WLAN-DC.wlan.net” certificate and click “OK”.
For the “Specify User Groups” screen select the users and/or groups you would like to allow wireless access. For this example I am allowing all of my domain users by selecting the “Domain Users” group. If I want to enforce Machine Authentication I need to add the “Domain Computers” group as well as checking the “Enforce Machine Auth” option in the dot1x policy on my Aruba controller. Click “Next” to continue.
Note: Groups listed here are considered as an OR statement.
For the next screen you can click “Next” and “Finish” or click “Configure…” to add RADIUS attributes for Server Derivation rules.
For example, you may want to map the “Domain Users” to the “employee_role” on your Aruba controller. You could do that here with the “Filter-Id” attribute.
Note: There seems to be a bug in Windows if you mess with these attributes too much the “Filter-Id” attribute vanishes. If this happens cancel out of the wizard and start over.
Press “Next” and “Finish” to complete the wizard. This should now allow you to authenticate users against your Windows 2008 Server.