Configure Windows Server 2019 for Ubiquiti UniFi RADIUS Authentication
Вставка
- Опубліковано 10 тра 2020
- This video covers the installation of the NPS, CA and Remote Access Server roles on a Microsoft Windows 2019 Server. We then configure those roles to support RADIUS authentication within Ubiquiti's UniFi platform.
####################################################################
FOLLOW ME:
---------------------------------------------------
► Instagram: / ach_sysadmin
► Twitter: / ahubbard117
► Website: achubbard.com
► Subscribe: ua-cam.com/users/AlexanderHu...
VIDEO EQUIPMENT (Affiliate Links):
---------------------------------------------------
► Logitech Brio - amzn.to/32JN0Dx
► Fuji X-T4: amzn.to/3dzJrap
► Lumecube: amzn.to/3oBf7CG
► Rode Go II Mic: amzn.to/3dxzABU
► Elgato Stream Deck: amzn.to/31IEaus
► Elgato Key Light: amzn.to/3lPoL2x
BUSINESS INQUIERIES:
---------------------------------------------------
contact@achubbard.com - Наука та технологія
![Securing RADIUS with EAP-TLS [Windows Server 2019]](http://i.ytimg.com/vi/SgAjEuCAFzE/mqdefault.jpg)
![Securing RADIUS with EAP-TLS [Windows Server 2019]](/img/tr.png)
![How RADIUS Authentication Works [Step-by-Step Simplified]](/img/n.gif)
Nice tutorial but you should check your ports. 1812 is used for auth, 1813 is accounting. 1645 and 1646 are old ports (pre RFC standardization) which should not be used/needed.
This is how all tech videos should be done! 5/5. Keep up the good work. Thank you, Alex!
I haven't had time to test this but I've built out a few RADIUS controlled wifi networks, but my first with Unifi this week. I'm used to only adding the controller of a wifi system to the RADIUS clients but I think that's what I was missing when my config wasn't working. This a great tutorial from start to finish. Thanks for taking the time to demonstrate and share this.
Super tutorial!
If I can add a little note here.
During the creation of your GPO you added the AD group to the GPO, which is good. Authenticated users was still in there and it actually overrules your AD group because the GPO will automatically be applied to any authenticated user/computer in that OU. In order to prevent this and only apply the GPO to any computer within the AD group , you have to go to the "Delegate" tab in your GPO => Click "Advanced" (bottom right) => Click "Authenticated users" => Deselect "Apply Group Policy"
Awesome, after reconfiguring the GPO by your good point everything works well. Thanks
Fantastic video - was having trouble getting this configured for a while. Super clear and easy to follow, thanks so much for saving me from any more headaches! :D
Having less knowledge on networking, your tutorial gives me more understanding of where I need to click and look for my System Administration tasks. Thanks mate
Alex, thank you for this video! My first watch through I overconfidently skipped the part at 5:04 and spent the next hour troubleshooting the RADIUS config. Thanks for highlighting all steps.
Glad it was helpful!
I knew this was possible just couldn't figure it out! Thank you so much for taking the time and making this video super easy to follow along. I hope you keep it up. Best wishes!
You're so welcome!
Worked perfectly! Saved me hours of work! Thank you for doing this Alex
Well done mate! Straight forward & to the point. Keep up the good work!
Than kyou, this went over a lot of prerequisites that a lot of other guides fail to mention
Thanks for this. I'm going to be setting the same up at home and since I haven't installed in radius for 15 odd years it's a good refresh.
Glad I could help
First video showing that USG is not mandatory when configuring UniFi APs with RADIUS server. Very helpful.
No, you don't need the USG. I don't run a USG in my lab, currently I am running an ASA on my home network and pfSense in my lab. You just need the Unifi controller.
@@thecybersecuritymindset Do I setup with the ip addresses of each UAP I have in the building or just the address of the controller?
@@moondawson2165 all APs
Hi Alexander, this video helped me a lot configuring RADIUS with Unifi network for our enterprise. Thank you for the instruction. Grts Lars
Glad to hear it!
This was wonderful and easy to follow. Thank you!
Very well done! Thanks for the good work.
Wow. Very impressive. Very good tutorial with all the steps that are really understandable.
Awesome Video. Thanks for this. This was exactly what I was looking for.
You mentioned at 7:51 you mentioned jotting down a KEY. Where do you put this key for the cert? Or did you mean something related to the same key used for the Ubiquiti side?
Very useful video, extremely useful to prevent personal devices connecting to the WiFi eating bandwidth.
Thanks! That is why I built this out at day job. We had too many people connecting their personal devices to the corporate network and no way to control it. Now they cannot do that. It works fairly well too.
Great video Alex...worked perfect! As you suggested, I would like to have Radius installed in a utility Win 19/22 server. Do I need to have the CA installed in the same server? I already have CA role installed in the Primary domain controller server.
This video was very good, but there are a few things that I had to change. No, you don't need the Remote Access Server role installed. It won't keep it from working, but it's not related either. In the video, PEAP is chosen for authentication on the NPS role. If you choose this, users will be prompted for username / password. Instead, you want Smart Card or other certificate. I'm not sure how it worked in the demo unless Smart Card or other certificate was also in the list at a higher priority?? As others have shared, the ports are wrong for UniFi controller to connect to the NPS Server. Authentication is on port 1812 & 1645. Accounting is 1813 & 1646. Otherwise, great explainer and got me up and running on RADIUS. Thanks!
I have taken your advice here but are still having problems with the "Enter username & Password " dialogue box popping up even though i have selected " Smart card / certificate" in the NPS role ( and nothing else). just have no clue how to move this on. This computer based authentication is something i desperately need. I do not want to user authenticate as that will defeat the object of what i'm trying to achieve. ( get mobile phones off the corporate network without having to MAC filter everything) What Alexander described is exactly what i need just struggling to get it to work. All machines are win10 server 2019
@@imfuctifino did you verify the Windows 10 computers trying to authenticate have a cert issued by the domain certificate provider? There should be a machine cert under Personal --> Certificates
@@sethkilley Thank you so much , this has partially solved the problem for me. I really appreciate you pointing me in the right direction. The certificates are not being issued automatically I am having to request a new certificate on each client PC and i'm fairly confident doing that isn't something i should have to do but at least once its issued it works great.
I had to revert to PEAP for this to work. It did not work with Smart Card or other certificate even with certificates issued automatically. It gave error: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Thanks for this, I changed to smart card or other certificate and works now!!!!
Love this, thank you so much helped out alot.
it's really nice video and allow me to ask one question, why you don't use smart card or certificates when you create NPS policy? I though that it's going to authenticate computer account with Certificate? I noticed that you just choose PEAP instead? why do we need remote access windows feature to install together with NPS and CA?
You sir .... are a legend. Take that W bro.
Thanks!
I dont usually comments but man u r too good
Hello Alexander, thank you for the video. it worked for me ! I have one question please, can i use a users group instead of using group of PCs ?
great video, thanks for sharing!!. trying to set this up but on user accounts, how do set up the auto enrollment bits for the user accounts?
GREAT VIDEO , I WANTED TO SET THE Wi-Fi authentication to prompt for a username and password of users on the domain
Hi there, is there anyways to add printers under the LDAP in Windows Server 2016?. Your reply is very much appreciated
worked like a charm, thank you.. but why did you install Remote Access Role, you never touched on it or configured it.
great video thank you so much!!!!
Hi, nice tutorial, in this case your authenticating computers, but, is it the same to authenticate users over L2TP when logging from outside the premises?
Excellent, very useful
I think there's an error when creating the RADIUS server entries in Unifi. The second auth server at 1813 should not work since that's the accounting port. The first accounting server at 1812 should not work since that's the auth port. So auth should be fine but accounting may retry until it hits the second entry, depending how Unifi does failover.
Thanks for the video! It has helped me enormously. Could you show how it works with the certificate on the switches from Unifi? So the wired version instead of the wireless?
I would like to allow or disallow clients the same way on the LAN on the switch. Unfortunately, my computer always tells me that it can't authenticate. I just can't get anywhere.
hi,
perfect video.
So only the certificate on the system and then the Clients can connect to the wifi without any password?
can you show what certificates are installed on radius server and the client (manually with csr request)....and what certificates does gpolicy push?
Hi, I just followed your guide. It's great, thank you. However, the SSID is not showing up on my android. Haven't tried iphone yet. Only my 802.1X networks are not showing up. Do you by chance have a guide or any info on how to get that setup?
Great video! However, I did run into a roadblock. We aren't on-prem and are using Azure, therefore, I am unable to set group policies. Do you have a guide on doing this in Azure?
My azure certificate wizard does not have Enterprise CA as an option, only Standard CA (Enterprise CA is grayed out and I cannot select it). Do I have to join the new server VM to Azure AD first? I run my unifi controller on an Azure VM ubuntu server. I placed the new windows server in the same resource group on Azure.
Top!
you helped me a lot! tnaks!
Very welcome!
very good explanation, thank you
Hello There. Thank you for the video. Really helpful. Just curious to know what hardware are you using for your lab to host VM's?
I have a pair of Dell PowerEdge R420s. 64GB Ram each and dual Xeon E5-2430Ls. Both 420s have 4x 2tb hard drives in a RAID5 array. I have a Dell MD1200 that I am hoping to bring online soon as well.
Beautiful 😍
Great video, just what I needed. Still I have a question, why do you need Remote Access role in this case? You left that one unconfigured. Thanks!
I was wondering this too as don't see why it's needed.
Thanks for the video. what about devices that are Azure AD joined only?
Great video, Is there a way you can use this for mobile phones? e.g adding a mac to a radius server?
Well done. Thank you
Thanks!
Hi Thanks for great tutorial.
Why are you creating the GPO (12:21)?
Do I have to do that?
BR
So I was able to get RADIUS Auth working for VPN, but I have never gotten this to work, your video showed me what I was missing....However I have a question, can I run this on the same Policy server as the VPN Auth? or should I use a different server for this service>
Hello, Please
I would like to know, when configuring the Radius Client in the AD DS server, in the video you add the IP address of the Unified Access Point.
I want to know if instead of adding the APs, you add the IP of the unified controller that contains those APs.
If this is possible, how do we proceed? What are the prerequisites?
Excellent!! but i can't use this way in my company, because we has 40% Macintosh for UI/UX.
I got lost at 11:46 since I don't have active directory. Do you have a link that I can follow for workgroup servers? Also, would this method work to authenticate Android phones with EAP2-Enterprise too?
Awesome video! Could you do one for those of us who are using a windows server vm with aadds? I have a S2S vpn connection from a vnet in azure to my udm pro. Do I still need the remote access role for this?
Hello, I have configured the radius server and it works. On the session I have the button to connect but I also have the possibility of entering another login / mdp how to prevent this? THANKS
Is it possible to authenticate domain users without adding the computer as member of the group, but instead, users within the domain controller?
Curious why you need RAS installed? working on setting up Unifi to use our existing PKI environment. it has been working previously with a Cisco WLC. we didn't need the RAS role for that in the past. Thanks!
I curious as well. Also he didn't cover the RAS setup in this video
hi, thanks for sharing it. if i want to put my radius server in a perimeter network, whats port i need to forward? i want to put a radius server in a azure or aws and i did forward 1812 udp but it dont auth my wifi. could you help me please? tks again
Great video thanks
Thanks!
This video is very good. I have a question, will work if I don’t install AD CS service?
usefull, I did it. thank you, like you :)
Cool! Now with dynamic vlans please...
Thanks for the great video. Works like a champ. In the video you didn't configure the Remote Access role. Why do we need to install it anyways? Does the Radius need any services of this role?
good question, any answer to this?
Have you ever tried this using UAPs at a different site and subnet than the RADIUS server (but connected via site-to-site VPN)? I'm finding that it doesn't work at the remote sites and I'm reading that the UAPs always send the packets over WAN and not the VPN... I've seen where people had this issue and only could get it to work by exposing the RADIUS ports publicly and using the public IP in the Unifi controller. Not crazy about that idea... hoping ubiquity fixes this in an update one day...
Firewall rules are already added automatically for NPS. But I had to add them manually again for some reason.
Can you set this up to use Azure AD auth via the NPS server for a VPN in Ubuiqiti
@Alexander
I have been fiddling around with this.
We do have a UNIFI controller running and already an old RADIUS profile but I wanted to shift it to our application server (rather than the DC as you mentioned).
Everything works fine up until the moment I want to register the NPS with the active directory. That option is greyed out.
The server is member of the domain (duh) and member of the RAS and IAS Servers group in AD.
I am logged in as Domain Admin.
Am I missing something here?
Greetz!
I think what registering only does is adding the NPS server to that group.
Good stuff
Hi just one Question, what if the domain has a CA Authority Root already...?
Kind Regards!
What about non domain-bound devices, like connecting an iPhone to the WiFi?
Can you make a video on how to set up 802.1X with Unify switches?
i have issue with radius server, client not reconnecting after restart
Thank you so much
You're most welcome
Hey
I can manege to fix 902 but not with VPN at the same time. I dont understand what im doing wrong
appeciate your efforts , the linux pc is the unifi wireless ap kindly update , there is not require any physical AP
The certificate you created and used it through gpo for windows clients.. can it be for smartphones without any huddles ?
Smartphones automatically pull the certificate and ask you to accept it, on the Android side, you need to select the certificate type as verification.
How does client get to connect if they don't have the certificate?
How does this work with non-windows clients, like Chromebooks that may not have a computer account in AD?
It'll probably ask for a username and password, but with this exact config it won't work because there are no users that are part of the lab auth group
Thank you for the video! How would I authenticate domain user instead of domain computer? Would I need a different type to certificate?
Yeah I'm wondering this. Or a mobile device.
Did you try this solution please?
nice
what about setting multisite authentication for sites having their own authentication server but fail over
I can't seem to find the part where you configure the 'Direct Access and VPN (RAS)' after adding the 3 services. What options should be selected? Thx!
Follow up. I tried selecting configuration options I thought seemed correct and the Unifi server became non-responsive. :) I removed my configuration and all is good again. My server keeps displaying a warning that I need to go through the 'Post-Deployment Configuration'. Would be nice to configure it in such a way that it works and satisfices Server 2019. Thx again, great video!
How do I configure it for user account instead of computer account
Nice tutorial. What if I'll use same server for RADIUS and for Unifi controller? Is it Possible?
Thanks for the video Alex. Is it possible to perform the authentication by username instead of by computername?
Hi , yes is possible, instead of add computers to the auth group I added users and then just configure the policy in the GPO, I only configured inside User configuration>Policies>windows settings>security settings>public Key policies> Certificate Services Client-Auto-Enrollment as shown in the video. After all that , for connect to the wifi use the active directory credentials of each user added in the auth group.
@@ataron123 are you using it ?
i follow step by step but does'nt work. Problem is. i have firewall.. what we do in control panel whether i need firewall configuratiion. Normal unify network is working but via radius server not
will this worn on phones to connect to wifi?
Sir Alexander the video is excellent. Hower, Can we use this gpo on users??
How do I install the certificate on a tablet ? or MAC?
So i need to apply Radius profile for each AP or Switch? Am I correct? Switch i mean Wired Auth. What if i would like to use dynamic Vlans for specific ADgroup, lets say ive got marketing, HR where there is totally different subnet assigned on each department.? Can solve it somehow?
Hi, I tried as VLAN but the result was unsuccessful, I couldn't find a source. I did not have a problem with the default network, I successfully installed it, but when I want to VLAN, RADIUS does not verify. I was able to do it with WPA password authentication as VLAN. Did you solve it?
@Barış SAKIZLI yeap i did solve it. So ive got dynamic vlans with cert authentication :)
Can I just use a self generated cert from Powershell or do I need a CA?
what's the diff ?
would this process be the same when configuring Windows RADIUS authentication on USG?
Yes, I believe so.
Hi can you do a update version with azure ad ?
Thanks.
Very welcome!
@@thecybersecuritymindset it's really nice video and allow me to ask one question, why you don't use smart card or certificates when you create NPS policy? I though that it's going to authenticate computer account with Certificate? I noticed that you just choose PEAP instead? why do we need remote access windows feature to install together with NPS and CA?
Very good video. I followed it but I get this error: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
Thank you for your Tutorial! We created AD Groups and issued certificates for users. All working just fine, MAC OS receiving their certificates via intune, the only problem we do have is first user login for Windows domain systems. We have to pass authentication process for them first on trusted network, so they can receive their user certificates. Do you know any workaround how to bypass this step, so users will be able to grab their certificate during their first login?
Machine/Computer certificates should be used for this, that way your devices are always able to login to your network
I love u my friend
ACKH_Kids! ... I lolled :)
Lol
I did everything step by step but the WiFi clients are unable to connect to the WiFi.