This will be set up in a Active domain environment.
Installing the required roles and role services
First of all, install the Network Policy and Access Services and the Active Directory Certificate Services onto the the Windows Server 2008 R2. Make sure the Network Policy Server, Certification Authority and Certification Authority Web Enrollment is installed.
Make your Certificate Service a enterprise root CA.
Preparing the server certificate
After installation, we’ll have to issue ourselves a certificate by browsing to AD CS -> Certificate Templates.
Right click on RAS and IAS Server and select Duplicate Template.
Select Windows Server 2003 Enterprise and click OK.
Rename the certificate template to whatever you want and tick Publish certificate in Active Directory. Go to the Request Handling tab and tick Allow private key to be exported. Go to Subject Name tab and select Supply in the request. Go to the Security tab and make sure that Administrator or whatever user/user group that you’re going to use later to apply for the certificate has the permission to enroll.
Right click on AD CS -> SERVER-CA -> Certificate Templates and select New -> Certificate Template to Issue. Select your newly created certificate template and click OK.
Open Internet Explorer and add http://YOURIPADDRESS/certsrv to your list of intranet and and set the security settings to low.
Browse to http://YOURIPADDRESS/certsrv and click on Request a certificate. Select advance certificate request then create and submit a request to this CA. Select the Certificate Template that we’ve created just now and use the server’s computer name for the name of the certificate. Tick Mark keys as exportable and click submit.
On the next page, click on Install this certificate.
After installing the certificate, we’ll have to move it into the correct directory. Go to run and open up mmc. Go to File -> Add/Remove Snap-in and add the Certificates for both Current User and Local Computer. Cut and paste the installed certificate from Certificate – Current User -> Personal -> Certificates to Certificates (Local Computer) -> Personal -> Certificates.
Setting up the radius client
Expand Network Policy and Access Services from Server Manager.
Browse to NPS (Local) -> RADIUS Clients. Right click and select New.
You can use whatever name you want to identify your switch but I’m going to use Cisco. Enter the Vlan interface’s ipaddress into the Address box and Verify. Enter your shared secret into the bottom two box which will be used later on the switch, I’m going to use cisco.
Creating the network access policy
Click on NPS (Local). Choose RADIUS server for 802.1X Wireless or Wired Connections for the drop down box and click Configure 802.1X.
Select Secure Wired (Ethernet Connections) and click Next.
Select the RADIUS client that we’ve created just now and click Next.
Select Microsoft: Protected EAP (PEAP) from the drop down box and click Configure. Select the certificate that we’ve created and installed just now and make sure that the Eap Types is Secured password (EAP-MSCHAP v2). Leave everything else as default. Click OK then Next.
Add the user groups that you want to use to for the authentication and click Next.
We don’t have to configure traffic controls. so, press Next then Finish.
That’s all we have to do for the Windows Server.
Cisco switch configuration
We’ll now move on to the Cisco switch. You should have your vlans configured.
These are the commands that we need to configure the switch to do port based dot1x authentication.
conf t aaa new-model radius-server host 18.104.22.168 auth-port 1645 acct-port 1646 key cisco aaa authentication dot1x default group radius dot1x system-auth-control int f0/4 dot1x port-control auto
Windows client web enrollment
For the client,we’ll have to install the CA cert so that the client will be able to verify the server’s cert’s authencity. Go to internet explorer and browse to http://IPADDRESS/certsrv. Select Download a CA certificate, certificate chain, or CRL and then Download CA certificate. Once download, browse to the file location and install it into your computer.
Like before when we moved the location of the installed certs, open mmc and add the required certificate snap ins. Move the CA certificate from current user -> Immediate certification authorities to Local Computer -> Trusted Root Certification Authorities.
Setting up the authentication parameters
After installing the trusted CA cert, open properties of your network adapter. Go to the authentication tab and tick Enable IEEE 802.1X authentication. select PEAP for the authentication method and click settings.
Tick validate server certificate and select the root CA certificate that we’ve added.
Ensure that EAP-MSCHAP v2 is selected for the authentication method and fast reconnect is ticked. Click on configure and make sure that Automatically use my Windows logon name and password is unticked. Click OK.
Click on Advanced settings. Tick Specify authentication mode and select User authentication. Leave the rest unticked. Click OK, then OK.
Disable and enable the network adapter and the prompt for authentication informations should pop up.