I recently worked with a colleague of mine to get various network devices to use RADIUS authentication provided by a Windows Server 2008 R2 NPS server and realized how many devices lacked documentation on how to configure the NPS server. One of the devices I ended up guessing was a Cisco Wireless LAN controller and seeing how others may come across this, I decided it may be worth while to blog about this. The server I used to install the NPS role was Windows Server 2008 R2 (the configuration would be the same for Windows Server 2012) and the Wireless LAN Controller was the Cisco 4400 Series (4402).
As with setting up RADIUS for other devices, begin by configuring the RADIUS client in the RADIUS Clients node. Note that I am configuring the 2 wireless controller clients with the name CF-<thenSomeName>. The reason why I’ve named it this way will be shown as we go through the setup:
Once the client representing your wireless controllers has been configured, proceed by configuring a new Network Policy:
Policy name – name of your choice
Type of network access server - Unspecified
Click on the Add button in the Conditions window:
Select Windows Groups:
Add the groups you would like to grant administrative access:
Click on OK:
Select Client Friendly Name:
As mentioned earlier, I named all of the devices to start with CF- and this is because you can’t configure the policy to have multiple Client Friendly Names or else in order for the policy to match, the client authenticating would have to match all of the Client Friendly Names. This is of course not possible and that’s why I’ve named the 2 devices to start with CF- so I could use wildcards for the match. For this case, the wildcard to match a name starting with CF- and everything else afterwards is:
CF-.*
**Note that more information about pattern matching syntax can be found here:
Using Pattern-Matching Syntax in NPS
http://technet.microsoft.com/sv-se/library/dd197583(v=ws.10).aspx
Proceed with clicking on Next after you have specified the conditions:
Select Access granted:
Check Unencrypted authentication (PAP, SPAP):
Leave the settings at default and click on the Next button:
Select Standard under RADIUS Attributes and click on the Add button:
Select Service-Type under Attributes and click on the Add button:
Change the Attribute Value from Commonly used for Dial-UP or VPN:
… to Others and depending on what access you would like to give the users authorized by this policy, you can se the value to:
- Administrative <— Full administrator permissions
- NAS Prompt <— View only administrative permissions
- Callback Administrative <— Lobby administrator permissions
Click OK, continue by clicking on the Next button and then click Finish to create the policy:
Notice the new policy created:
Now try logging onto the wireless controller with an Active Directory account:
Very good solution, thanks for sharing your knowledge.
ReplyDeleteHi Terrence, Thanks for the post. Just wanted to see if you have ever or if it's possible to use a wildcard cert for EAP/PEAP authentication in this same scenario you have posted. Thanks.
ReplyDelete