RADIUS Server for 802.1X Wireless or Wired Connections
Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
When you deploy 802.1X wired or wireless access with Network Policy Server (NPS) as a Remote Authentication Dial-In User Service (RADIUS) server, you must take the following steps:
Install and configure network access servers (NASs) as RADIUS clients.
Deploy components for authentication methods.
Configure NPS as a RADIUS server.
Install and configure network access servers (RADIUS clients)
To deploy 802.1X wireless access, you must install and configure wireless access points. To deploy 802.1X wired access, you must install and configure 802.1X authenticating switches.
Important
Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.
In both cases, these network access servers must meet the following requirements:
Support for Institute of Electrical and Electronics Engineers (IEEE) standard 802.1X authentication
Support for RADIUS authentication and RADIUS accounting
If you use billing or accounting applications that require session correlation, the following are required:
Support for the Class attribute as defined by the Internet Engineering Task Force (IETF) in RFC 2865, "Remote Authentication Dial-in User Service (RADIUS)," to allow session correlation for RADIUS authentication and accounting records. For session correlation, when you configure RADIUS accounting at your NPS server or proxy, you must log all accounting data that allow applications (such as billing applications) to query the database, correlate related fields, and return a cohesive view of each session in the query results. At a minimum, to provide session correlation, you must log the following NPS accounting data: NAS-IP-Address; NAS-Identifier (you need both NAS-IP-Address and NAS-Identifier because the access server can send either attribute); Class; Acct-Session-Id; Acct-Multi-Session-Id; Packet-Type; Acct-Status-Type; Acct-Interim-Interval; NAS-Port; and Event-Timestamp.
Support for accounting interim requests, which are sent periodically by some network access servers (NASs) during a user session, that can be logged. This type of request can be used when the Acct-Interim-Interval RADIUS attribute is configured to support periodic requests in the remote access profile on the NPS server. The NAS must support the use of accounting interim requests if you want the interim requests to be logged on the NPS server.
If you use virtual local area networks (VLANs), the NASs must support VLANs.
For wide area network (WAN) environments, network access servers should provide the following:
- Support for dynamic retransmit timeout (RTO) estimation or exponential backoff to handle congestion and delays in a WAN environment.
In addition, there are filtering features that the network access servers should support to provide enhanced security for the network. These filtering options include:
DHCP filtering . The NASs must filter on IP ports to prevent the transmission of Dynamic Host Configuration Protocol (DHCP) broadcast messages if the client is a DHCP server. The network access servers must block the client from sending IP packets from port 68 to the network.
DNS filtering . The NASs must filter on IP ports to prevent a client from performing as a DNS server. The NASs must block the client from sending IP packets from port 53 to the network.
If you are deploying wireless access points, support for Wi-Fi Protected Access (WPA) is preferred. WPA is supported by Windows Vista® and Windows XP with Service Pack 2. To deploy WPA, also use wireless network adapters that support WPA.
Deploy components for authentication methods
For 802.1X wireless and wired, you can use the following authentication methods:
Extensible Authentication Protocol (EAP) with Transport Layer Security (TLS), also called EAP-TLS.
Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2), also called PEAP-MS-CHAP v2.
PEAP with EAP-TLS, also called PEAP-TLS.
For EAP-TLS and PEAP-TLS, you must deploy a public key infrastructure (PKI) by installing and configuring Active Directory® Certificate Services (AD CS) to issue certificates to domain member client computers and NPS servers. These certificates are used during the authentication process as proof of identity by both clients and NPS servers. If preferred, you can deploy smart cards rather than using client computer certificates. In this case, you must issue smart cards and smart card readers to organization employees.
For PEAP-MS-CHAP v2, you can deploy your own certification authority (CA) with AD CS to issue certificates to NPS servers or you can purchase server certificates from a public trusted root CA that clients trust, such as VeriSign.
For more information, see EAP Overview and PEAP Overview.
Configure NPS as a RADIUS server
When you configure NPS as a RADIUS server, you must configure RADIUS clients, network policy, and RADIUS accounting.
Configure RADIUS clients
There are two stages to configuring RADIUS clients:
Configure the physical RADIUS client, such as the wireless access point or authenticating switch, with information that allows the network access server to communicate with NPS servers. This information includes configuring the IP address of your NPS server and the shared secret in the access point or switch user interface.
In NPS, add a new RADIUS client. On the NPS server, add each access point or authenticating switch as a RADIUS client. NPS allows you to provide a friendly name for each RADIUS client, as well as the IP address of the RADIUS client and the shared secret.
For more information, see Add a New RADIUS Client.
Configure network policies
Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can connect.
For more information, see Network Policies.
Configure RADIUS accounting
RADIUS accounting allows you to record user authentication and accounting requests in a local log file or to a Microsoft® SQL Server® database on the local computer or a remote computer.
For more information, see RADIUS Accounting.