I’ve already discussed using a FreeRADIUS server for wireless authentication, so now I’m going to address using Microsoft NPS, Microsoft’s implementation of RADIUS. The main reason to do this would be Active Directory integration, but other organizations may have other reasons. NPS is bundled with all versions of Windows Server starting with Server 2008. Prior to 2008, Windows Server used IAS, which may or may not conform to these directions.
The compony I work for sells IT support for commercial customers in addition to the Internet services we sell. One of our customers wanted wireless services for its branch offices with three distinct requirements:
- Corporate-owned laptops should be able to access corporate data
- Employees should be able to connect their own devices to the Internet, but not to access corporate data
- Guests should be able to connect to the Internet, but with limited speeds, limited available ports, and must be forced to agree to an acceptable use policy
I’m going to address solutions to the first two requirements here, and the third will be the subject of a future post.
To meet the first requirement, we decided to use an SSID that connected to the existing data vlan for the office. This would allow traffic through the ASA to corporate data. The first security measure we considered was MAC address filtering. The problem with MAC address filtering is that it is easily spoofed. Also, it would too long to roll out, as we would have to develop a mechanism for self registration to avoid having to maintain a list of MAC addresses.
Instead, we decided to add the laptops’ computer accounts in Active Directory to a group and authenticate against that group using WPA2 Enterprise and NPS. This would prevent MAC address filtering, prevent access from corporate-owned laptops that have been reinstalled by someone other than IT, and would mean that a list of allowed devices would be more or less automatically maintained.
The second requirement had a similar solution: WPA2 Enterprise authenticating against the Domain Users group in NPS. This SSID would connect to a guest VLAN allowing access to the Internet and no other resources.
This is how we configured our Ruckus ZoneDirector to meet these requirements.
Note: We were not able to get this to work while also using NPS to authenticate for admin logins on the web interface. To get around this, we used a second NPS server for wireless authentication.
Configure NPS to Allow Wireless Access
Since the ZoneDirector does all of the communication with the NPS server, it is the only device that needs to be added as a RADIUS client in NPS. To do this, RDP into the NPS server.
- Start -> All Programs -> Administrative Tools -> Network Policy Server
- Expand RADIUS Clients and Servers
- Right-click RADIUS clients
- New RADIUS Client
- Enable this RADIUS client = checked
- Friendly name = ZoneDirector
- Address = <ZD IP>
- Vendor name = RADIUS Standard
- Click the radio button next to Manual
- Shared secret = <secret>
- OK
While still in NPS, create the Connection Request Policies. First, a policy for the ZoneDirector itself:
- Expand Policies
- Right-click Connection Request Policies
- New
- Overview
- Policy name = CR-ZoneDirector
- Policy enabled = checked
- Type of network access server = Unspecified
- Conditions
- Add
- NAS Port Type
- Wireless – IEEE 802.11
- Add
- Client Friendly Name = Zone*
- OK
- Overview
Next, a policy for the Corporate SSID.
- Expand Policies
- Right-click Connection Request Policies
- New
- Overview
- Policy name = CR-Corp
- Policy enabled = checked
- Type of network access server = Unspecified
- Conditions
- Add
- NAS Port Type
- Wireless – IEEE 802.11
- OK
- Overview
Finally, a policy for the BYOD SSID.
- Expand Policies
- Right-click Connection Request Policies
- New
- Policy name = CR-BYOD
- Policy enabled = checked
- Type of network access server = Unspecified
- Conditions
- Add
- NAS Port Type
- Wireless – IEEE 802.11
- OK
Now, the Network Policies need to be created. This is the most involved and probably the most confusing part, as it requires vendor-specific options. Still in NPS, create the Corporate SSID Network Policy:
- Expand Policies
- Right-click Network Policies
- New
- Overview
- Policy name = NP-Corp
- Policy enabled = checked
- Access Permission = Grant access, Ignore user account dial-in properties.
- Type of network access server = Unspecified
- Conditions
- Add
- Machine Groups
- Add Groups
- Domain Computers
- Add
- NAS Port Type
- Wireless – IEEE 802.11 OR Wireless – Other
- OK
- Settings
- Standard
- Add
- Framed-Protocol
- Commonly used for Dial-up or VPN = PPP
- OK
- Add
- Service-Type
- Commonly used for Dial-Up or VPN = Framed
- OK
- Vendor Specific
- Add
- Enter Vendor Code = 25053
- Yes. It conforms.
- Configure Attribute
- Vendor-assigned attribute number = 1
- Attribute format = String
- Attribute value = Corp
- OK
- OK
- OK
- Standard
Next, create the Network Policy for the BYOD SSID:
- Expand Policies
- Right-click Network Policies
- New
- Overview
- Policy name = NP-BYOD
- Policy enabled = checked
- Access Permission = Grant access, Ignore user account dial-in properties.
- Type of network access server = Unspecified
- Conditions
- Add
- User Groups
- Add Groups
- Domain Users
- Add
- NAS Port Type
- Wireless – IEEE 802.11 OR Wireless – Other
- OK
- Settings
- Standard
- Add
- Framed-Protocol
- Commonly used for Dial-up or VPN = PPP
- OK
- Add
- Service-Type
- Commonly used for Dial-Up or VPN = Framed
- OK
- Vendor Specific
- Add
- Enter Vendor Code = 25053
- Yes. It conforms.
- Configure Attribute
- Vendor-assigned attribute number = 1
- Attribute format = String
- Attribute value = BYOD
- OK
- OK
- OK
- Standard
NOTE: I use Domain Computers and Domain Users as the Active Directory groups to authenticate against as examples, but in the real world, I was more granular in which users and devices I allowed through.
Configure ZoneDirector
Now that NPS is all set up, it’s time to get the ZoneDirector ready to use the new policies. First, the NPS server needs to be added as a RADIUS server:
- Configure -> AAA Servers
- Create New
- Name = NPS.radius
- Type = RADIUS
- Auth Method = PAP
- IP Address = <NPS IP address>
- Port = 1812
- Shared Secret = <secret>
- OK
- Create New
- Name = NPS.radiusacct
- Type = RADIUS Accounting
- IP Address = <NPS IP address>
- Port = 1813
- Shared Secret = <secret>
- OK
- Create New
Test the server using the form at the bottom of the page. A success message should show up and assign the user the role of Default. This is normal. We still need to configure roles to use the Corp or BYOD tags that the Network Policy hands back with the Access-Accept:
- Configure -> Roles
- Create New
- Name = Corp
- Description = AD Machine authentication for Corp
- Group Attributes = Corp
- Allow All WLANs = Specify WLAN access
- WLANs = <name of corporate WLAN>
- OK
- Create New
- Configure -> Roles
- Create New
- Name = BYOD
- Description = AD User authentication for BYOD access
- Group Attributes = BYOD
- Allow All WLANs = Specify WLAN access
- WLANs = <name of BYOD WLAN>
- OK
- Create New
Once again, try a user on the test form on the AAA server. Assuming the user is a member of Domain Users (or whatever group was used for the BYOD Network Policy), it should now be assigned a role of BYOD. Now on to configuring the WLANs:
- Configure -> WLANs
- Create New
- Name = Corporate Devices (Call this whatever you want)
- Type = Standard Usage
- Authentication Method = 802.1x/EAP
- Encryption Method = WPA2
- Encryption Algorithm = AES
- Authentication Server = NPS.radius
- Advanced Options
- Accounting Server = NPS.radiusacct
- Create New
- Name = Employee Devices (Again, call this whatever you want)
- Type = Standard Usage
- Authentication Method = 802.1x/EAP
- Encryption Method = WPA2
- Encryption Algorithm = AES
- Authentication Server = NPS.radius
- Advanced Options
- Accounting Server = NPS.radiusacct
- Attach VLAN tag = <BYOD VLAN ID> (make sure the box next to attach is checked)
- Create New
NOTE: All other WLAN settings can be set according to your desires and/or business needs.
That’s it. Just make sure routing is set up for the BYOD VLAN, and you should be in business.