Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, June 16, 2017 8:38 AM
Hi,
I'm a junior admin, still in training, and I decided to set up something I never worked before, in order to learn.
I want to create a wifi network with Active Directory authentication. In short, I want that when you bring your own laptop (which is NOT in the AD) and select the wifi SSID to which you want to connect, a popup asks you for your AD credentials and grants you access only if you insert an account with the right permission.
It shouldn't be that hard, but I'm actually having issues to understand how to set it up, following the tutorials on the Internet.
I know I need, other than a DC with AD, an NPS server and a Radius Client (as Radius Client I have both a Cisco and a Netgear access point). Some tutorial say I need also an AD CS (Active Directory Certificate Services), others say I don't. That's the first confusing point.
Do you know already if I need to use AD CS? I can't give certificates to computers that are not in the domain, so I thought I didn't need it.
And where could I find a good tutorial that helps me create this network?
Thank you in advance
All replies (10)
Monday, June 19, 2017 8:03 AM
Up :/
Monday, June 19, 2017 9:06 AM
Hi,
>>Some tutorial say I need also an AD CS (Active Directory Certificate Services), others say I don't. That's the first confusing point.
Whether you need a certificate depends on your about authentication methods .
More information about authentication methods, please refer to the following article:
https://technet.microsoft.com/en-us/library/cc958013.aspx
If you install AD CS, the CA sends its certificate to the domain member computers in your organization and they store the CA certificate in the Trusted Root Certification Authorities certificate store on the local computer. If you also configure and autoenroll a server certificate for your NPS servers and then deploy PEAP-MS-CHAP v2 for wireless connections, all domain member wireless client computers can successfully authenticate your NPS servers using the NPS server certificate because they trust the CA that issued the NPS server certificate.
More information AD CS, please refer to the following article:
https://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx
>>Do you know already if I need to use AD CS? I can't give certificates to computers that are not in the domain, so I thought I didn't need it.
You could configure MS-CHAPv2 on NPS, if you hope your clients just insert an account with the right permission to log on.
>>And where could I find a good tutorial that helps me create this network?
There is an article with 802.1X Authenticated Wireless Deployment Guide:
https://technet.microsoft.com/en-us/library/dd283093(v=ws.10).aspx
If there is any other concern, please don’t hesitate to let me know.
Best Regards,
Frank
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, June 20, 2017 12:56 PM
Hi,
>>Some tutorial say I need also an AD CS (Active Directory Certificate Services), others say I don't. That's the first confusing point.
Whether you need a certificate depends on your about authentication methods .
More information about authentication methods, please refer to the following article:
https://technet.microsoft.com/en-us/library/cc958013.aspx
If you install AD CS, the CA sends its certificate to the domain member computers in your organization and they store the CA certificate in the Trusted Root Certification Authorities certificate store on the local computer. If you also configure and autoenroll a server certificate for your NPS servers and then deploy PEAP-MS-CHAP v2 for wireless connections, all domain member wireless client computers can successfully authenticate your NPS servers using the NPS server certificate because they trust the CA that issued the NPS server certificate.
More information AD CS, please refer to the following article:
https://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx
>>Do you know already if I need to use AD CS? I can't give certificates to computers that are not in the domain, so I thought I didn't need it.
You could configure MS-CHAPv2 on NPS, if you hope your clients just insert an account with the right permission to log on.
>>And where could I find a good tutorial that helps me create this network?
There is an article with 802.1X Authenticated Wireless Deployment Guide:
https://technet.microsoft.com/en-us/library/dd283093(v=ws.10).aspx
If there is any other concern, please don’t hesitate to let me know.
Best Regards,
Frank
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Hi, thank you for your answer.
Even in the guide you provided, it says I still need to deploy NPS Server certificates, even using PEAP-MS-CHAPV2. I can either buy one from a public CA, or create my own, but the clients still need them in order to be able to connect with the Radius.
Since I want people to be able to connect freely with any NON-domain device they own, I guess I can't use that, because I would need to give these certificates in advance to the user, who needs to inject it in his computer, etc...that's not user friendly. I could deploy then via a powershell script but I still need them to be inside the domain for that.
So, if I understood correctly: if the computer are in the domain, it's easier, the certificates can be provided easily because they trust already the domain (and the Radius is domain joint). But if the computers are NOT in the domain, I need to provide them in advance, which is not good for my case.
I'm a little disappointed, I thought this would have been a easy task, but now it seems impossible :/ Do I have to change completely my project? There is no way to make this work?
Friday, June 23, 2017 10:22 AM
Hi,
According my research,there is one technology called Dynamic VLAN assignment may helpful to you.
Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as CiscoSecure ACS. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network.
If you cisco router which are Layer3 Switchcould create VLAN,you should implement it.
There is an issue with configuring NPS with dynamic VLAN assignment based on 802.1x authentication:
Best Regards,
Frank
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, June 23, 2017 8:07 PM
actually I think I've found the answer after a long research :) I've just set PEAP as authentication method and I can now connect just inserting AD username and password, no need for certificates or anything. It works with computers not in the domain and also without AD CS. I hope it's secured enough, I still need to make some test, but now it seems to work fine.
Thank you for your help!
Monday, June 26, 2017 5:45 AM
Hi,
I am glad to hear that you resolved the issue.Please mark the useful replies as answers.
Best Regards,
Frank
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, June 26, 2017 7:07 AM
Hi,
I am glad to hear that you resolved the issue.Please mark the useful replies as answers.
Best Regards,
Frank
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Yes, I just still have to make some test and be sure it works fine 100% :)
Thursday, January 4, 2018 4:14 PM
Hi Grant, can you help me with this? I wish to do the same in my home lab invironment.
Thanks :)
Wednesday, June 10, 2020 3:25 AM
Hi Team
Thanks
what do the requirement for access point(wifi)? please share access point working options for user authentication. if possible to share the authentication diagram.
Thursday, June 11, 2020 6:39 AM
Hi Team
Please if possible to share wifi authentication diagram with authenticate Active Directory.
Note: do the possible time mentions 2 or 3) hours token system authentication? please advice