June 15th, 2009 | Information Security | Technology
[ Check out my latest post on the HP Security Blog: “The Secure Web Series, Part 2: How to Avoid User Account Harvesting” ]
So I finally got my Wireless Access Point (an Apple AirPort) authenticating off of Active Directory-integrated LDAP in Server 2008 (which is called NPS now). So now I authenticate wireless users individually, through Active Directory, rather than using a shared secret. WPA2 Enterprise…it overfloweth with w00tn3ss.
So here are the basic steps, and I can provide more detail if you have questions in the comments.
1. Install AD and Create Users
First install Active Directory. Easy stuff.
Next, since the whole point of this is to have unique user authentication, you need to have…users. So create them as usual but be sure to add them to a new group like “RADIUS” or something, and ensure that they have dial-in access within their user account. I used “RADIUS Users” because I’m creative and eccentric.
2. Enable Network Policy and Access Services in Server 2008
This is what replaces IAS in Server 2008. The install is pretty straight forward; it’s the policy that’s the trick.
I’m using PEAP right now, although I haven’t yet researched the ideal setup. Soon, though, and if you have any input (or good reading) on this let me know.
You also want to set the authentication rule to Windows Authentication within the policy, and then select your group out of Active Directory that you placed your users in.
Be sure to setup a RADIUS client within the NPS configuration, and enter the info for your access point rather than for your individual clients.
3. Configure Your Wireless Access Point
Tell your wireless access point to use WPA2 Enterprise, and configure the RADIUS info to point to your domain controller that you just set up NPS on. Enter the shared secret you configured during the NPS piece.
4. Configure Your Clients
Connect to your AP as you normally would, and when prompted you will enter your Active Directory username and password. I’ve chosen PEAP as my authentication protocol pending more research on which is ideal:
And that’s about it. Connect to your AP and enter your credentials.
Now when your friends come over you simply make them an account in Active Directory and they have wireless access using their own username and password. And when they leave you disable their account until next time. This way you get all the added benefits of password expiration and stuff like that.
Oh, and if any part of this fails, check the NPS logs on your DC. Logs are much improved in 2008 vs. previous versions of Windows, and it’s pretty easy to troubleshoot. I saw a lot of errors with authentication types not being supported before I figured out which to use.
Bonus: If you’re one of the cool kids you’ll have your AD and AP logs going into Splunk so you can see (and alert on) attempts to access your wireless network from accounts and MAC addresses you don’t recognize. More on that later.
Anyway, enjoy, and hit me up with any questions. ::
Thank you for visiting.blog comments powered by Disqus