Home > ADCS, GPO, PKI, RADIUS, SSL, WiFi > Creating a WPA2-EAP Wireless Network with NPS, AD CS, and GPO

Creating a WPA2-EAP Wireless Network with NPS, AD CS, and GPO

I have had to deal with some networks in the past where wireless was perhaps not treated with the proper amount of concern.  I know of at least a few where the basic premise to security is just a WPA2 password – that hopefully the users don’t know.  It can’t be changed regularly because you’d have to communicate this change out to everyone.  A user with local administrator rights and Windows 7 can simply check the “show password” box on the WPA password settings, and it will show them.  Compound this with not changing passwords when a user leaves the company and you leave a fairly big hole in the side of your network.  Even worse is relying on MAC security, as this can be spoofed just by sitting there long enough and watching the packets go by and picking a MAC you want to use.

So what’s the solution?  WPA2-EAP using RADIUS, SSL via an Active Directory Certificate Authority, and GPO’s.  The general overview of what you are wanting to set up here and wanting to accomplish, is this:

  • The computer must be a domain computer and trusted.
  • The computer will, via GPO, auto-enroll for a computer based certificate.
  • AD CS will provide said certificate.  This will allow for the computer to be trusted beyond simply its SID or hostname, etc.
  • Wireless settings will be pushed out to all systems via GPO.  No one wants to go to 20 computers and enter a new SSID or configuration.  This should be automatic.  If you add a new access point or a new office, it should publish to the computer (assuming you want this – you might want to use security groups to limit who can use what AP’s in what locations, etc).
  • We don’t want users messing with the wireless settings at all.
  • There should be no password for a user to share, shoulder surf, remember, etc.
  • The user is not what we’re trusting but the computer.  This prevents the user from finding a way to use their credentials to authorize a non-domain computer by sharing, and walking away.
  • Because the computer is authenticating, it is connected as soon as the WiFi is available at boot up, even before the login.  This means that GPO’s and software deployments, etc, can be taking effect even if the machine sits at the login screen.  Contrast this with the situation where the user must login using cached credentials, then connect to the network, and then run any of these tools.  Also, a user who has no cached credentials from a previous login, can login and create a profile.

So some pre-requisites and reference links:

  • You’ve configured an Enterprise PKI for your network similar to how I have described before – Enterprise CA PKI for Domains – 2 Tier, with Root & Subordinate
  • A handy primer on how to do this – http://community.spiceworks.com/how_to/show/1455
  • WAP’s capable of using WPA2-Enterprise and RADIUS (my Netgear WNDR-3700v2 with DD-WRT will)
  • Create any groups in AD if you want to restrict access to certain computers or users in your domain.  The most likely reason you would do this is if you wanted to create say a “grpAllowedWiFi-OfficeName” per office, and then you chose which computers had access to which office.  I’m going to assume here that we are giving access to the entire network from all domain computers, as this is probably most likely.

And now the steps – there is very little that is different from the SpiceWorks HOWTO post by Tino Todino.

1) Configure your Wireless Access Point.

We’re going to do this with a DD-WRT device, as this configuration should translate well regardless of device and if your device doesn’t do it, you might be able to use DD-WRT devices to deal with this.

Click on WIRELESS –> BASIC SETTINGS.

image

I have created a Virtual Interface for this access point, so that I can do this testing in parallel with what I already have in place.  Set it as an AP and give it a name – case matters, and you may want this SSID to be generic through your infrastructure.  I have also chosen to not broadcast the SSID.  This is security through obscurity, but every little bit helps.  Plus because we are going to publish these out to computers via GPO, we don’t have to worry about end-user usability.   Click SAVE/APPLY CONFIGURATION.

Click on WIRELESS –> WIRELESS SECURITY.

image

Security mode is going to be WPA2-Enterprise.  WPA Algorithm we’ll set to AES (TKIP I understand can be cracked).   Enter the IP’s and shared secrets of your RADIUS servers.  This shared secret will be used later.   Click SAVE/APPLY CONFIGURATION.

The Wireless Access Point is now configured.

2) Install NPS on the server

I already had NPS installed, but if you followed my setup, you only have the Network Policy Service installed and not the Routing and Remote Access Service

3) Set up RADIUS clients on the NPS

Open the NPS console on the NPS server.  Expand RADIUS CLIENTS AND SERVERS –> RADIUS CLIENTS.  Right click and choose NEW.

image

Enter the friendly name of this WAP, the IP, and the Shared Secret and click OK.  If you have multiple AP’s, repeat this process as needed.

4) Configure 802.1x on the NPS server

In the NPS console, click on the root NPS (Local) option.  On the right hand side from the drop down select “RADIUS server for 802.1x Wireless or Wired connections”.   Then click the green arrow beside “Configure 802.1x”.

image

Select “Secure Wireless Connections” and give it a name.  I’ve named mine “NetWise – Secure Wireless Connections”.  Click NEXT.

image

Select the RADIUS client(s) you want to use this configuration.  To be fair, you could have also added the client here as well I just realize.  Click NEXT.

image

Select Microsoft: Protected EAP (PEAP).  Click CONFIGURE.

image

In my case, my primary RADIUS server also happens to be my Exchange server (I’ll get around to fixing that some day…..).  As such, it has more than one SSL Certificate present.  Select the one for the RADIUS server itself, which will be the one showing the FQDN.  Also it will show “Issued:” by your internal AD CA, vs an external 3rd party.   Click OK

image

Click NEXT.

This is where you would configure USER groups.  Note that this is not groups of Computer objects, so this is not where/how you would restrict ComputerA from using the WAP in CityQ for example.  Click NEXT, as we’re not adding groups in the scope of this document.

image

On the Traffic Controls screen, click NEXT.

image

On the last page, you’ll see confirmation that we have created both a Connection Request Policy and a Network Policy.  Click FINISH.

image

5) Create a Certificate AutoEnrollment GPO.

  • Open the Group Policy Management Console
  • Either create a new GPO or modify an existing one.  I’m choosing to modify my Default Domain Policy as I want this to affect all my computers.  You might choose to create a new one so you could link it to OU’s or computer groups as desired.
  • Under Security Filtering, you would remove the “Authenticated Users” and add in the Computer/User groups if you wanted to do it that way.
  • Edit the GPO (Right Click –> EDIT)
  • Browse to COMPUTER CONFIGURATION –> POLICIES –> WINDOWS SETTINGS –> SECURITY SETTINGS –> PUBLIC KEY POLICIES.
  • Right click on “Certificate Services Client – Autoenrollment” and click PROPERTIES.
    image
  • Change “Configuration Model” to ENABLED and check both boxes and click OK.
    image
  • Right click on “Certificate Services Client – Certificate Enrollment Policy” and click PROPERTIES.
    image
  • Change “Configuration Model” to ENABLED and click OK.
    image
  • Close the GPO you’re working on to save it.  (I forget this so often, it hurts.)

6) Create a Windows Vista/7 Wireless 802.1x GPO.

  • Edit the GPO in question.  It might very well be the same one from step 5 above.
  • Browse to COMPUTER CONFIGURATION –> POLICIES –> WINDOWS SETTINGS –> SECURITY SETTINGS –> Wireless Network (IEEE 802.11) Policies.
  • Right click and choose “Create a new wireless network policy for Windows Vista and later release”.image
    Note: if you don’t see this, you might already have a policy configured for Vista.  If so, you will only get the option for the Windows XP policy.  But you can only have one of each per GPO.   This could be a good design reason to want to keep the GPO’s with the policies separate from your Default Domain Policy, if you are intending to have a configuration that is not standard across the board.
  • Give your policy a name and a description, and then click ADD –> INFRASTRUCTURE.
    image
  • Give your profile a Profile Name (ie: NETWISE CORPORATE).  Type in the name of your SSID and click ADD.  I have to assume you could put in multiples here if perhaps your SSID’s were setup like NW-<CITY> or NW-<LOC_CODE>, etc.
    image
    Check all 3 boxes: “Connect automatically…”, “Connect to a more preferred….” (more on this later!) and “Connect even if….”.  Click the SECURITY tab.
  • On the SECURITY tab, set AUTHENTICATION=”WPA2-Enterprise”, ENCRYPTION=”AES” (to match what you setup on the WAP itself), NETWORK AUTHENTICATION METHOD=”(PEAP)” and change AUTHENTICATION MODE=”COMPUTER AUTHENTICATION”.image
    Click PROPERTIES next to (PEAP).
  • Check the box for “VALIDATE SERVER CERTIFICATES”.  Check the box for “CONNECT TO THESE SERVERS:” and enter the FQDN name(s) of your RADIUS servers to use for this policy, separated by a semi-colon if needed.  In the TRUSTED ROOT CERTIFICATION AUTHORITIES list, find and check the certificate for your Enterprise Root CA.
    image
    Click OK twice to return to the 802.11 Wireless Network Policy Properties window.
  • Click on the NETWORK PERMISSIONS tab.
  • If you want to get more granular, this is where you have some greater control over the wireless settings on the client.   Some specific options:
    • You can click ADD and enter an Infrastructure/Ad-Hoc SSID and choose to allow or deny.  This is where you might add a known public SSID that you don’t want users to use (ie: “Linksys” or “Starbucks” or something.).
    • Check boxes for “Prevent connections to ad-hoc/infrastructure networks”.
    • If you’re going to prevent said access, then you might want to uncheck “Allow user to view denied networks” – this would make them simply not show up at all.
    • “Only use Group Policy profiles” locks the WiFi lists on the client down to ONLY what you have configured in Group Policy – they cannot add anything additional.  This seems pretty drastic, but it is a nice option to have.
  • Click OK
  • Close the GPO to save it.

7) On a client that might already be connected via a WPA2 configuration or wired, refresh the group policies (gpupdate /force) and let it run.  If you have to log off or reboot, do so.

image

Once it applies, you’ll see that your new options are present.  Do note that you see the wireless configuration friendly name “NETWISE CORPORATE” vs the SSID of “NETWISE-ENT”.  Also, because of the check boxes when creating the GPO Wireless Policy of “Connect to a more preferred network….” you will note that I’ve stayed connected to my 802.11n 5GHz AP/SSID vs switching over to NETWISE CORPORATE automatically.  Depending on your environment, you may then want to modify this in the GPO.  Perhaps your office is next to a Starbucks and maybe they even have better signal strength on that side of your office.  This setting would tell the computer to connect to the corporate network any time it is available.

8) Troubleshooting.

Are you seeing this: image

Remember the part where I said the NPS I was on had more than one SSL certificate?  If you pick the wrong one, and the FQDN and such don’t match, you’re going to get this error.  To remedy it:

  • If you’re working wirelessless, you should TERMINATE and connect to either another WPA2 based SSID or a wireled link.
  • Connect back to your RADIUS/NPS server(s)
  • In the NPS console, click on POLICIES –> NETWORK POLICIES.  Select the Secure Wireless Connections policy (with the appropriate name) and right click and choose PROPERTIES.
    image
  • Click on the CONTSTRAINTS tab
    image
  • Select the EAP type listed (there should be only one) and click EDIT.
    image
  • On the EAP Protected EAP Properties window, ensure that Certificate Issued: is showing the FQDN of the server as entered in the RADIUS properies previously and shows ISSUER: as your Enterprise Root CA.  Click OK twice to finish editing.
  • Do this on both (or more) of your NPS/RADIUS servers
  • Retry your connection.

Now, to wrap up.  Once you’re connected if you want, you can right click on the connection in the WiFi list and choose PROPERTIES:
image

You will note that everything is grayed out and un-modifiable:

imageimage

So what we have is exactly what we set out to get.  No WPA2 passwords that can be shared.  We’re using PKI/SSL/ADCS/GPO to deploy the security so no one ever has to touch the machine(s).

Its been a good day Smile

Advertisements
Categories: ADCS, GPO, PKI, RADIUS, SSL, WiFi
  1. afelipem
    May 30, 2012 at 9:24 AM

    Hello there. it seems that I don’t have all the prerequisites because I cannot see options for wpa2 on the GPO. I am running AD version 2003. do I need to upgrade that to 2008?
    thank you.

  2. Regnad
    November 21, 2012 at 9:48 AM

    When and where would a public certificate (Thawte, Verisign, etc.) be required? Would it be put in place of the machine cert you have above? (add trusted root path check mark next to public trusted root)
    I assume that this setup is just for domain member computers and not external devices such as iPhones and Smartphones, correct?
    Matbe you could add a section for public certificates and how to set this up.

    • November 21, 2012 at 10:14 PM

      In this configuration, a Public certificate doesn’t help I don’t think. This is all done with an internal PKI. It is done with domain member computers, as the enrollment is done via GPO. However, you can do enrollments for a device and provide the certificate. The company I’m currently working for has a version of this in place that I haven’t looked into too deeply. I do know that when I connect via my iphone, providing my AD account as credentials, I am provided with an SSL cert to accept (but as I have, I can’t reproduce the screen). I couldn’t tell you if that is part of our Cisco wireless controller infrastructure or part of the EAP/PKI config. I would imagine that if you were doing this for iPhones and such, that you would implement a Mobile Device Management (MDM) server, to create that additional reach.

  3. E-Ro
    May 3, 2013 at 5:12 AM

    Thank you, great walk-thru

    • May 18, 2013 at 7:54 PM

      Not a problem, I’m really glad it helped. I’ll likely be upgrading to 2012 soon, so expect some new ones!

  4. Patrick Clarke
    May 4, 2016 at 9:25 AM

    Hi, I dont know if this is still monitored but I was wondering if there is an option to allow domain computer to authenticate the way you have it but then have none domain devices like ipads and cell phones to connect to the wifi with AD credentials but put them on a separate vlan.

    • June 4, 2016 at 1:38 PM

      Oh I’m still here.

      I never got into the more security and segregation aspect of this. Off the cuff I’d expect you to have to do one of two things:

      Full flesh out an NPS server with rules to handle the device types
      Use a secondary SSID for the non PC devices
      Use a Wireless LAN Controller that can handle the offload for the non pc’s and classify them upstream.

      I guess that’s three.

      Let me know what you find it, I’m curious as well.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: