ITC/3AV WIKI

User Tools

Site Tools

Trace:
microsoft:windows_server:wireless_access_deployment

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
microsoft:windows_server:wireless_access_deployment [2020/12/09 15:28] hvillanuevamicrosoft:windows_server:wireless_access_deployment [2021/06/09 18:04] (current) aperez
Line 363: Line 363:
  
 In Network Policy Server, click OK, and then click OK again. In Network Policy Server, click OK, and then click OK again.
 +
 +==== Configure a Wireless AP as an NPS RADIUS Client ====
 +
 +You can use this procedure to configure an AP, also known as a network access server (NAS), as a Remote Authentication Dial-In User Service (RADIUS) client by using the NPS snap-in.
 +
 +{{:microsoft:windows_server:wireless_access_deployment_13_-_hvillanueva.jpg?600|}}
 +
 +Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
 +
 +=== To add a network access server as a RADIUS client in NPS ===
 +
 +1. On your NPS, in Server Manager, click Tools, and then click Network Policy Server. The NPS snap-in opens.
 +
 +2. In the NPS snap-in, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New.
 +
 +3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.
 +
 +4. In New RADIUS Client, in Friendly name, type a display name for the wireless access point.
 +
 +For example, if you want to add a wireless access point (AP) named AP-01, type AP-01.
 +
 +5. In Address (IP or DNS), type the IP address or fully qualified domain name (FQDN) for the NAS.
 +
 +If you enter the FQDN, to verify that the name is correct and maps to a valid IP address, click Verify, and then in Verify Address, in the Address field, click Resolve. If the FQDN name maps to a valid IP address, the IP address of that NAS will automatically appear in IP address. If the FQDN does not resolve to an IP address you will receive a message indicating that no such host is known. If this occurs, verify that you have the correct AP name and that the AP is powered on and connected to the network.
 +
 +Click OK to close Verify Address.
 +
 +6. In New RADIUS Client, in Shared Secret, do one of the following:
 +
 +  * To manually configure a RADIUS shared secret, select Manual, and then in Shared secret, type the strong password that is also entered on the NAS. Retype the shared secret in Confirm shared secret.
 +
 +  * To automatically generate a shared secret, select the Generate check box, and then click the Generate button. Save the generated shared secret, and then use that value to configure the NAS so that it can communicate with the NPS.
 +
 +{{:microsoft:windows_server:wireless_access_deployment_14_-_hvillanueva.jpg?600|}}
 +
 +7. In New RADIUS Client, on the Advanced tab, in Vendor name, specify the NAS manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard.
 +
 +8. In Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports the use of the message authenticator attribute, select Access Request messages must contain the Message-Authenticator attribute.
 +
 +9. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS.
 +
 +==== Create NPS Policies for 802.1X Wireless Using a Wizard ====
 +
 +You can use this procedure to create the connection request policies and network policies required to deploy either 802.1X-capable wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients to the RADIUS server running Network Policy Server (NPS). After you run the wizard, the following policies are created:
 +
 +  * One connection request policy
 +
 +  * One network policy
 +
 +{{:microsoft:windows_server:wireless_access_deployment_15_-_hvillanueva.jpg?600|}}
 +
 +Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
 +
 +=== Create policies for 802.1X authenticated wireless by using a wizard ===
 +
 +1. Open the NPS snap-in. If it is not already selected, click NPS (Local). If you are running the NPS MMC snap-in and want to create policies on a remote NPS, select the server.
 +
 +2. In Getting Started, in Standard Configuration, select RADIUS server for 802.1X Wireless or Wired Connections. The text and links below the text change to reflect your selection.
 +
 +3. Click Configure 802.1X. The Configure 802.1X wizard opens.
 +
 +4. On the Select 802.1X Connections Type wizard page, in Type of 802.1X connections, select Secure Wireless Connections, and in Name, type a name for your policy, or leave the default name Secure Wireless Connections. Click Next.
 +
 +5. On the Specify 802.1X Switches wizard page, in RADIUS clients, all 802.1X switches and wireless access points that you have added as RADIUS Clients in the NPS snap-in are shown. Do any of the following:
 +
 +  * To add additional network access servers (NASs), such as wireless APs, in RADIUS clients, click Add, and then in New RADIUS client, enter the information for: Friendly name, Address (IP or DNS), and Shared Secret.
 +
 +  * To modify the settings for any NAS, in RADIUS clients, select the AP for which you want to modify the settings, and then click Edit. Modify the settings as required.
 +
 +  * To remove a NAS from the list, in RADIUS clients, select the NAS, and then click Remove.
 +
 +{{:microsoft:windows_server:wireless_access_deployment_16_-_hvillanueva.jpg?600|}}
 +
 +6. Click Next. On the Configure an Authentication Method wizard page, in Type (based on method of access and network configuration), select Microsoft: Protected EAP (PEAP), and then click Configure.
 +
 +{{:microsoft:windows_server:wireless_access_deployment_17_-_hvillanueva.jpg?600|}}
 +
 +7. On the Edit Protected EAP Properties wizard page, in Certificate issued, ensure that the correct NPS certificate is selected, and then do the following:
 +
 +{{:microsoft:windows_server:wireless_access_deployment_18_-_hvillanueva.jpg?600|}}
 +
 +  * To allow users to roam with their wireless computers between access points without requiring them to reauthenticate each time they associate with a new AP, select Enable Fast Reconnect.
 +
 +  * To specify that connecting wireless clients will end the network authentication process if the RADIUS server does not present cryptobinding Type-Length-Value (TLV), select Disconnect Clients without Cryptobinding.
 +
 +  * To modify the policy settings for the EAP type, in EAP Types, click Edit, in EAP MSCHAPv2 Properties, modify the settings as needed, and then click OK.
 +
 +8. Click OK. The Edit Protected EAP Properties dialog box closes, returning you to the Configure 802.1X wizard. Click Next.
 +
 +9. In Specify User Groups, click Add, and then type the name of the security group that you configured for your wireless clients in the Active Directory Users and Computers snap-in. For example, if you named your wireless security group Wireless Group, type Wireless Group. Click Next.
 +
 +10. Click Configure to configure RADIUS standard attributes and vendor-specific attributes for virtual LAN (VLAN) as needed, and as specified by the documentation provided by your wireless AP hardware vendor. Click Next.
 +
 +11. Review the configuration summary details, and then click Finish.
 +
 +Your NPS policies are now created, and you can move on to joining wireless computers to the domain.
 +
 +===== Join New Wireless Computers to the Domain =====
 +
 +The easiest method to join new wireless computers to the domain is to physically attach the computer to a segment of the wired LAN (a segment not controlled by an 802.1X switch) before joining the computer to the domain. This is easiest because wireless group policy settings are automatically and immediately applied and, if you have deployed your own PKI, the computer receives the CA certificate and places it in the Trusted Root Certification Authorities certificate store, allowing the wireless client to trust NPSs with server certs issued by your CA.
 +
 +Likewise, after a new wireless computer is joined to the domain, the preferred method for users to log on to the domain is to perform log on by using a wired connection to the network.
 +
 +==== Other domain-join methods ====
 +
 +In cases where it is not practical to join computers to the domain by using a wired Ethernet connection, or in cases where the user cannot log on to the domain for the first time by using a wired connection, you must use an alternate method.
 +
 +  * IT Staff Computer Configuration. A member of the IT staff joins a wireless computer to the domain and configures a Single Sign On bootstrap wireless profile. With this method, the IT administrator connects the wireless computer to the wired Ethernet network and joins the computer to the domain. Then the administrator distributes the computer to the user. When the user starts the computer without using a wired connection, the domain credentials that they manually specify for the user logon are used to both establish a connection to the wireless network and to log on to the domain.
 +
 +  * Bootstrap Wireless Profile Configuration by Users. The user manually configures the wireless computer with a bootstrap wireless profile and joins the domain, based on instructions acquired from an IT administrator. The bootstrap wireless profile allows the user to establish a wireless connection and then join the domain. After joining the computer to the domain and restarting the computer, the user can log on to the domain by using a wireless connection and their domain account credentials.
 +
 +==== Join the Domain and Log On by using the IT Staff Computer Configuration Method ====
 +
 +Domain member users with domain-joined wireless client computers can use a temporary wireless profile to connect to an 802.1X-authenticated wireless network without first connecting to the wired LAN. This temporary wireless profile is called a bootstrap wireless profile.
 +
 +A bootstrap wireless profile requires the user to manually specify their domain user account credentials, and does not validate the certificate of the Remote Authentication Dial-In User Service (RADIUS) server running Network Policy Server (NPS).
 +
 +After wireless connectivity is established, Group Policy is applied on the wireless client computer, and a new wireless profile is issued automatically. The new policy uses the computer and user account credentials for client authentication.
 +
 +Additionally, as part of the PEAP-MS-CHAP v2 mutual authentication using the new profile instead of the bootstrap profile, the client validates the credentials of the RADIUS server.
 +
 +After you join the computer to the domain, use this procedure to configure a Single Sign On bootstrap wireless profile, before distributing the wireless computer to the domain-member user.
 +
 +==== To configure a Single Sign On bootstrap wireless profile ====
 +
 +Create a bootstrap profile by using the procedure in this guide named Configure a Wireless Connection Profile for PEAP-MS-CHAP v2, and use the following settings:
 +
 +  * PEAP-MS-CHAP v2 authentication
 +
 +  * Validate RADIUS server certificate disabled
 +
 +  * Single Sign On enabled
 +
 +2. In the properties of the Wireless Network Policy within which you created the new bootstrap profile, on the General tab, select the bootstrap profile, and then click Export to export the profile to a network share, USB flash drive, or other easily accessible location. The profile is saved as an *.xml file to the location that you specify.
 +
 +3. Join the new wireless computer to the domain (for example, through an Ethernet connection that does not require IEEE 802.1X authentication) and add the bootstrap wireless profile to the computer by using the netsh wlan add profile command.
 +
 +{{:microsoft:windows_server:wireless_access_deployment_19_-_hvillanueva.jpg?600|}}
 +
 +4. Distribute the new wireless computer to the user with the procedure to “Log on to the domain using computers running Windows 10.”
 +
 +When the user starts the computer, Windows prompts the user to enter their domain user account name and password. Because Single Sign On is enabled, the computer uses the domain user account credentials to first establish a connection with the wireless network and then log on to the domain.
 +
 +==== Log on to the domain using computers running Windows 10 ====
 +
 +1. Log off the computer, or restart the computer.
 +
 +2. Press any key on your keyboard or click on the desktop. The logon screen appears with a local user account name displayed and a password entry field below the name. Do not log on with the local user account.
 +
 +3. In the lower left corner of the screen, click Other User. The Other User log on screen appears with two fields, one for user name and one for password. Below the password field is the text Sign on to: and then the name of the domain where the computer is joined. For example, if your domain is named example.com, the text reads Sign on to: EXAMPLE.
 +
 +4. In User name, type your domain user name.
 +
 +5. In Password, type your domain password, and then click the arrow, or press ENTER.
 +
 +{{:microsoft:windows_server:wireless_access_deployment_20_-_hvillanueva.jpg?600|}}
 +
 +==== Join the Domain and Log On by using Bootstrap Wireless Profile Configuration by Users ====
 +
 +With this method, you complete the steps in the General steps section, then you provide your domain-member users with the instructions about how to manually configure a wireless computer with a bootstrap wireless profile. The bootstrap wireless profile allows the user to establish a wireless connection and then join the domain. After the computer is joined to the domain and restarted, the user can log on to the domain through a wireless connection.
 +
 +=== General steps ===
 +
 +1. Configure a local computer administrator account, in Control Panel, for the user.
 +
 +{{:microsoft:windows_server:wireless_access_deployment_21_-_hvillanueva.jpg?600|}}
 +
 +2. Provide your domain users with the instructions for configuring a bootstrap wireless profile, as documented in the following procedure To configure a bootstrap wireless profile.
 +
 +3. Additionally, provide users with both the local computer credentials (user name and password), and domain credentials (domain user account name and password) in the form DomainName\UserName, as well as the procedures to “Join the computer to the domain,” and to “Log on to the domain,” as documented in the Windows Server 2016 Core Network Guide.
 +
 +==== To configure a bootstrap wireless profile ====
 +
 +1. Use the credentials provided by your network administrator or IT support professional to log on to the computer with the local computer's Administrator account.
 +
 +2. Right-click the network icon on the desktop, and click Open Network and Sharing Center. Network and Sharing Center opens. In Change your networking settings, click Set up a new connection or network. The Set Up a Connection or Network dialog box opens.
 +
 +3. Click Manually connect to a wireless network, and then click Next.
 +
 +4. In Manually connect to a wireless network, in Network name, type the SSID name of the AP.
 +
 +5. In Security type, select the setting provided by your administrator.
 +
 +6. In Encryption type and Security Key, select or type the settings provided by your administrator.
 +
 +7. Select Start this connection automatically, and then click Next.
 +
 +8. In Successfully addedYour Network SSID, click Change connection settings.
 +
 +9. Click Change connection settings. The Your Network SSID Wireless Network property dialog box opens.
 +
 +10. Click the Security tab, and then in Choose a network authentication method, select Protected EAP (PEAP).
 +
 +11. Click Settings. The Protected EAP (PEAP) Properties page opens.
 +
 +12. In the Protected EAP (PEAP) Properties page, ensure that Validate server certificate is not selected, click OK twice, and then click Close.
 +
 +13. Windows then attempts to connect to the wireless network. The settings of the bootstrap wireless profile specify that you must provide your domain credentials. When Windows prompts you for an account name and password, type your domain account credentials as follows: Domain Name\User Name, Domain Password.
 +
 +==== To join a computer to the domain ====
 +
 +1. Log on to the computer with the local Administrator account.
 +
 +2. In the search text box, type PowerShell. In search results, right-click Windows PowerShell, and then click Run as administrator. Windows PowerShell opens with an elevated prompt.
 +
 +3. In Windows PowerShell, type the following command, and then press ENTER. Ensure that you replace the variable DomainName with the name of the domain that you want to join.
 +
 +Add-Computer DomainName
 +
 +4. When prompted, type your domain user name and password, and click OK.
 +
 +5. Restart the computer.
 +
 +6. Follow the instructions in the previous section Log on to the domain using computers running Windows 10.
 +
 + --- //[[www.itclatam.com]] 2020/12/09 16:29//
microsoft/windows_server/wireless_access_deployment.1607545728.txt.gz · Last modified: 2020/12/09 15:28 by hvillanueva
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki