Part 1: Radius Server for WiFi Authentication with Windows Server 2016
Вставка
- Опубліковано 2 лип 2024
- Radius Server Authentication with Windows Server 2016
Requirements:
-Home wireless modem/router with WPA/WPA2 Enterprise Security
-Windows Server 2016 Datacentre Desktop Experience installed
-Windows Computer with Wi-Fi
Level: Intermediate
We will be doing the following in the above video:
• Configuring Domain Controller
• Configuration of DHCP
• Testing Domain Controller
• Run-through of my Wireless Modem settings
• Installation and configuration of Active Directory and Certificate Services
• Installation and configuration of Network Policy Server
(RADIUS)
• Testing the RADIUS authentication
Video Contents:
00:00 Intro
01:00 Requirements/Network Diagram
02:30 Add Roles ADDS,DHCP and DNS
04:50 Promote DC
06:17 Configure DHCP
08:43 Configure AD Objects
10:58 Domain Join Win10
12:50 Configure Wireless Modem Settings
16:47 Add and Configure AD CS
19:43 Add NPAS Role
20:32 Configure NPS
22:58 Test Wi-Fi on Windows
25:10 Test Wi-Fi on IOS
26:30 Outro
More information about radius server technet.microsoft.com/en-us/l...
![Securing RADIUS with EAP-TLS [Windows Server 2019]](http://i.ytimg.com/vi/SgAjEuCAFzE/mqdefault.jpg)
Checkout next part of this series here ua-cam.com/video/QSni2IP0QJM/v-deo.html . Wi-Fi network settings deployment through GPO.
Thanks let me go through it.
ДЖЗ*33'333×2@= ПЕТРИЬІК**?°¿|©
Hi and thank you for this tutorial. May I ask if its possible to make a "Timed Connection" for each clients who are connected to the network? I would be nice if it limits them to connect like 1-2 hour(s) a day.
Thank you so much, brother, great content!! . Note: If someone is having issues make sure to also open the inbound firewall port UDP 1812 on your server, and if you have a network firewall also make sure it allows that same traffic from the wireless AP to the Radius Server.
Thank you for this precision, it helped me a lot.
Thank you for this great and direct guide towards RADIUS
Finally got this to work, I knew it was a server config error, but this explained it very well, bravo!
Thank you for the very super helpful and detailed guide, I used this today and it was most helpful.
BROTHER!! You are so awesome!! Your video is great! keep up the work! Perfectly edited, you made sure we dont waste time. I am a person who never comments on any video or likes or subscribes. But I have done all this because your work impressed me. The explanation is clear and precise.
Thanks for the amazing feedback and I am glad you enjoyed the video.
very well done bro. useful information with easy explanation and examples
Excellent Video!!! Thank you so much for making this, I’ve been trying to do this for years and all the videos I follow something doesn’t work. Follows the instructions In this video and now my wifi is using a fully functional radius server. Thanks so much
Perspective Thanks. I am glad it helped.
Thank you for the very detailed instructions, sir! Very helpful!
Your welcome, glad it helped
man I really appreciate it, I spent hours trying to do it without on my own. I was missing the certificate part, I didn't know it was required. Even though that I have enabled all authentication methods. Thank you very much.
As always...an excellent video. Thanks very much.
ninja2807 you are most welcome
Thanks for the great content and it was really helpful as I was looking to learn more about servers
Great video, a very nice explanation of the components to achieve the goal, thanks, you've helped a lot today!
Amazing stuff!!
Excellent video. Thanks for posting.
Eldrinarr you’re welcome.
Great detailed guide!!
Excellent tutorial!!! Thanks!
Thank you for the video, I tested this with a ubiquiti Wifi and it worked
Did you have a mix of Win7 and Win10 clients? Did you have to install any certs on any of the end clients for this to work?
Nicely explained 👌
Great Video!!!
Thank you for the great tutorials!
Glad you like them!
Thank you so much this wonderful video..
Thanks for Sharing
Thank you!
Thank you budy it helped a lot
very nicely presented!
Thank you.
very nice ... Thanks
Brilliant!
Good job
Thanks for this content, it is very helpful.
Glad it was helpful!
Thank u sir
It would be beneficial to provide concise explanations for the addition of certain roles and features. This way, the audience can better understand the purpose of these steps. Additionally, some users may find it unclear how to establish connections or create another virtual machine linked to the server for testing its functionality. Anyways, thank you for creating this video.
Thank you from France
You are welcome!
Its greats. Tks
Very cool and informative. Do ADCS and NPS need to be on the same server as DC?
Excellent Video. Pls i need to know. If I have multiple Domain Controllers does requesting certificate on one DC replicate to the others?
Nice video .. Just a quick question, how do you set up similarly for Guest Users? Please post me some steps, appreciate your help. Thanks
Well done demonstration, Jay Mann. Any plans on an upcoming video on SSO 802.1X GPO for WS2016/W10?
Thanks. Yes, it can be done but have not planned anything about it yet.
Here is the link ua-cam.com/video/QSni2IP0QJM/v-deo.html
Thank you for the great tutorials! I am pretty green when it comes to certificates. So it looks like the GPO will automatically renew the certificate. But what about on the domain controller/CA? I assume when those certificates are close to expiring i'll have to manually go in and create/renew the certificate?
Normally you would create a Root CA on a laptop (OR cheap Raspberry PI) and Create a life Intermediate CA instead. The laptop (Raspberry Pi) should be shutdown put into a safe and only be used when renewing that intermediate CA.
Great video, I can get communication when I’m on the normal net but it doesn’t work on the enterprise net any tips? Also I had to put the router in bridge mode for communication to occur
Great video.
Can you please offer advice on how to install a certificate from a trusted CA so that mobile clients are not asked to Trust the CA when connecting?
I am sorry, it seems like I missed this comment. Yes, there is a way. However, you can create Wi-Fi profile and can be managed with any MDM solution. This is a bit complex and a lot is involved in it.
Hi,
Great video, did you register the NPS in Active Directory also?
Thank you.
You have to do that if your NPS server is different than the DC. In this case, I did not have to register because of TEST-CERT01 is a DC itself and it has the permission to read the dial-in properties of user accounts during the authorization process.
Excellent guide! However, I - for whatever reason - cannot get mine to work. It is stuck on "Checking Network Requirements". Event viewer reveals repeated 802.1x authentication restarts. Our DHCP is currently running on our Meraki firewall, with the DNS running on DCs. Any idea what might be the cause?
Thanks for this! Quick querry, i have my mx84 act as dhcp server, i am able to authenticate from nps but not getting an IP, appreciate if you can give light on this, thanks!
Hi, Please could you help me with using Microsoft NPS and setting up a test OU for machine-based wired and wireless authentication?
created an SSID on our cisco interface which points the wireless to the correct authentication server and perhaps the same on our switches.
Once a user has logged in using a an android phone, can they still share the internet connection using the QR_code on android?
Somethings are incorrect. Like the thumbprint mentioned is different than the one showed... But that is because it is stitched together I think.
What if my AD CS role wasn’t install in the domain controller but other server? Do I need to request the certificate in the DC but not my server, which got AD CS role? Thank you.
Hello, I have configured the radius server and it works. On the session I have the button to connect but I also have the possibility of entering another login / mdp how to prevent this? THANKS
How would guest connect their macOS when policy is computer based with certificate authentication? How would guest get/request certificate and where to place in macOS.
Hi, this is a great video. I appreciate your content.
Question though, is there any way to avoid the prompting of the certificate notice during the authentication process?
Yes, there is. If you install the root cert on the machines. However, on BYO devices you won't be able to install the root cert since you don't manage those devices.
it was in detailed video, thanks for sharing. what if i just want the laptops that are in domain only be able to connect in that case i think we will set the local computers group instead of users. but if we dont add user groups how the username and password will work to connect???
You are welcome.
Here is the video for computer based authentication ua-cam.com/video/QSni2IP0QJM/v-deo.html
il nostro prof. ci costringe a vedere sto video
Is it a good thing?
I have a problem. We would like to allow only domain computers and when the NPS authenticates the computer it need toi asks for username and password, but when we add the group( Domain computers/Users in the same policy the NPS does not allow access. If we create 2 separate policies this one does not ask for password since the domain computer is already authenticated with cert. Any help
Hi Jay, I have some question about the certificate.
For user authentication like this, does the certificate have to be installed on the client side or only on the server side?
Server will offer the client a cert upon successful authentication. Only server side will be sufficient.
Very detailed and excellent video.
Dear we have some quires will you please help us out. We have Multiple VLAN's for Multiple SSID's all VLAN's are in different IP pools. So kindly guide us if we define multiple IP scope for multiple SSID's how user can authenticate to their particular specific SSID ? Waiting for your response.
Hi Tahir,
This would be a sophisticated set up. Give me some time to think.
Jay
do you have a guide on how to apply captive portal using this?
How can we specify which SSID The users from the Network group will be connecting? If I have multiple SSIDs but I do not want users from the Security group1(SSID1) to SSID2
Hi Jay,
did you use your Wireless Router as Default-Gateway ?
Hamid Chendawoli Yes, for wireless clients.
Thanks for this demonstration. A research a possibility to have mutiple SSID depending of groups in AD. I think i need multiple radius server on my server (if it's possible) but i'v not yet find a way. If anyone have a idea... thank for it
Hey, Thanks for tutorial. Can I authenticate W-Fi(with certificate integrated) on a win 10 client present in Workgroup?
Or is it a pre-requisite for the client to join a Domain?
Configuration requires either a user or machine authentication. User auth does not require the computer to be domain joined, but machine authentication needs the device to be domain joined.
Hi bro, beautiful video, are you using vmware workstation or bare metal?
Thank you. This is on Hyper-V.
@@TekNexSolutions Hi bro. Thank you very much for your reply. Did you have any radius server videos with wired.
Hello! I have a problem here. I have windows server 2012 and AD DNS DHCP install than I turn off dhcp on my wireless router, my pc get IP address from my dhcp server but my device can’t get IP address from WiFi! So any help pls thx.
Your "hech" scratches my brain.
Have you configured NAT rule in your physical machine to enable connection for Hyper-V?
Using external virtual switch in Hyper-V which is connected to a physical switch.
Hello Jay,
Thank you for your video.
I'm having issues connecting to the wifi network. Everytime i fill in my credentials it loads and sends me back to where i need to put in the credentials, without giving me an error message. When i test this with the built in authentication tester in my AP it does work... I'm using a Ruckus zoneflex r510.
Brian Boere Hi Brian,
Have you triend another client, may be a phone could be a good test? Does the same problem occur on other devices as well? Tester checks the radius server only, which means there is no issue with the radius authentication. Once you hit connect from a client, server should offer a certificate. Let me know if the issue is same accross different devices.
Jay Mann, I've also tried this on my phone. The same problem occurs.
Hi.
Good video, I have a problem specifying the type of installation of the CA, the CA enterprise mode appears disabled and I would like to know why ?.
Thanks for the video best explained
Jose Luis Llampa Colque Strange issue. I never had that problem. Are you installing CA on a DC(like I did) or it is a different server?
@@TekNexSolutions Hello, at minute 17:56 you are shown two options: Enterprise CA and Standalone CA, both active, but in my case only Standalone CA shows active and Enterprise CA is disabled, that shows me when configuring in Windows Server 2012 R2 and in Windows Server 2016 and I do not know what the problem is, maybe the problem is that the operating system is virtualized ???, use VMWare 14.
I just figured out what is your issue here. Type of virtualization is not a problem. When I created fresh Windows Server 2016 > added role Active Directory Certificate Services > Tried to configure Certificate Authority as an Enterprise CA. It is greyed out same as yours.
Reason: My server is not domain joined or it is not a Domain Controller itself.
Solution 1: You need a domain in your network > domain join your server > Enterprise CA option will be available
Solution 2: Follow exactly same steps in the above video (Create a DC and test the setup), you will not have any issues at all
Amazing Video with Smooth Process.
Why td-w8980.test.local device level setup is missing in this video ? this device is windows server or a windows client machine ?
Its an accesspoint :)
@@keinechancee5361 Device: rs-w8980.test.local is a windows 10 or windows server device ?
@jay
On which minute did you found that?
The accesspoint is named “TD-W8980”.
The Windows Server is named “TEST-CERT1”
and the windows 10 client is named “Win10”.
test.local is the local domain, so for example “TD-W8980.test.local” is the accesspoint inside the domain and “Win10.test.local” is the Windows 10 Client inside the domain.
Have a nice weekend and greetings
KeineChancee
How to check existing configuration 802.11x ? Cause i have problem 1 group cannot connect to wifi
Hey Jay,
I'm getting the following message when connecting to the Wi-Fi: If you expect to find [wireless SSID name] in this location, go ahead and connect. Otherwise, it may be a different network with the same name.
Do you know how I can remove this warning for my clients?
Thank You.
brian b Hi Brian,
Disregard my earlier message if you received.
I checked this and even in production we get the same message, unless you use group policy to deploy the Wi-Fi profile for users/computers. However, I will look into this further and update you once I found if there is anything we can do without GPO. Of course GPO will only work with domain joined devices only.
Jay
@@TekNexSolutions I'd really like an answer to this question if you have one. Thanks.
Hi, this is a really great video. I was thinking of applying this a similar concept using username and password only for a College for Students to access resources with their personal machines, and not the domain computers. What would I have to change to make this happen. I'd prefer to not have to use certificates for the students' laptops.
Big Ric Than you. For Radius authentication you supposed to have a CA in action.
It will be user auth for students BYODs and computer auth for domain joined devices.
@@TekNexSolutions Thanks for replying, but let me ask this, is there some issue(s) with Windows 10 clients requiring a certificate and causes problems to connect to these types of public Wi-Fi with RADIUS auth? I can see Android devices not having this issue, I'm asking as I have a college Wi-Fi network to deploy in the fairly distant future and smooth student connectivity is an area of contention for me.
@@hennessy6996 Android, IOS, macOS and Win 10 Client uses the Windows Radius Authentication in a similar fashion. As demonstrated in the video, when you connect the client and it prompts to trust the Certificate from your CA. Once you do that and connection works as it supposed to be. This method is widely deployed in different production environments that I know of personally, we are talking anywhere between 1500 to 60,000 end users.
Have you faced any issues?
@@TekNexSolutions About 9 months ago I tried this and had problems with the Win10 clients requesting credentials repeatedly without ever connecting, I'm picking this up again as I'll have to deploy soon. I'm even thinking of dynamic VLANS with some Aruba Networks switces for wired clients as the existing IT team is very inexperienced. I'll be labbing it out over the next 2 weeks.
@@hennessy6996 I don't see any issues moving forward with this. However, try it in your lab and it should work.
Hi Jay, Just another question if i plan AD in one server and NPS on another server what is the best practice to install CA?
is it on AD server or NPS server ?
It is recommended to use a dedicated server for CA. Not recommended it to be a DC.
@@TekNexSolutions Hi Jay, in my scenario if i have a resources limitation what would be the best server to install CA . i only have server s for AD and NAS.
I would install CA on NPS Server.
So is the 'windows server 2016' (the thing on the right in your connection diagram in the beginning of the video) a physical machine connected via Ethernet or can you have this as a virtual one in a virtual box? fyi im a total noob
The way it is implemented it acts as a physical machine. However, it is a virtual machine in Hyper-V connected to a physical switch through External Network Adapter. Wi-Fi modem is connected to the same physical switch.
Same thing can be achieved through Virtual Box as well with understanding of how the virtual network adapters work.
Thanks, first clarification on that on the internet.
Hi..
If possible I need to get some help...
Setup made successfully but not able to connect Wi-Fi...
how to bind mac address for the users in AD
The Radius server use user and password to sincronize with LDAP?
hi it was a nice video.
but i would like to know. if user is already part of domain then how to skip putting user/pass while connecting to wifi. it should be automated.
any suggestion on it.
Thank you.
Yes it can be done with the help of GPO. Nothing planned yet, may be I record another video for this.
@@TekNexSolutions oh great, if you could create quick video on this GPO will be helpful
Care For You Hi there, just letting you know you can check this video deploying Wi-Fi profile through GPO. You can only deploy this profile to Windows devices. Here is the link ua-cam.com/video/QSni2IP0QJM/v-deo.html
Can we authenticate users with radius coming as visitor and connect our wifi ?
you are awesome bro ... i am getting an error "Unable to join wifi-sid". Can you help what should I have to checked. I am using server 2022
Can you please make a video on Wired authentication?
what should i do if i already have DHCP from my firewall
Hello! I have configured it as in your video, but it fails to connect to Enterprise WiFi. I entered the credentials and press connect and then it switches back to enter the credentials again? I tried to connect on my PC/laptop/Android device, but it fails on every device. How to fix this issue? Thanks.
Hi Luba,
I would suggest you to go over the video again and check if everything is done according to the video. It seems like you might have missed one or two things. Double check the things like network policy, permissions for AD groups etc.
How about for wired connection authentication with Windows Server?
Thank you for the tutorial. It's working fine with Dlink Ap and windiws srv 2012 standard. But the issue is not working for non domain pc.... Any help with that please?
Bagga caticoti abdou It should work for the non-domain pc’s. Check the following:
1. Have you tried the same user which you used for the domain joined pc? User has to be in the right group.
2. Try connecting any phone, your phone should connect to the wireless and it will get certificate from your CA.
3. If phone connects fine then re-install Wi-Fi driver on the non-domain join pc.
Let me know how did you go.
Bagga caticoti abdou Also, use fully qualified domain name on the non-domain joined devices. For instance, if your domain is “test.com” and user is “user” then FQDN will be user@domain.com.
Hi Jay Maan
Yes it is working fine with the smartphones but not for the laptops, I jave tried with two different laptops with win 10 installed but it did not work.
I will try reinstalling the driver and check again.
Thank you
Hello Finally it is working,
1- we have to Register NPS server on Active Directory
2-I did not use the wizard to create the policy, I have create it manually and specify the condition as "NAS port Type" and select "IEEE802.11 + Wireless Other"
You don't have to use FQDN just type the username and the password
Thank you again Jay
Bagga caticoti abdou sounds good. I am happy that it is working now.
Thanks dude.. Can Android clients Access their home folder via a file explorer ?
TheAmazeer Yes they can. I haven’t tried with the in-built file explorer. You might have to use a third party app which will allow you to enter the share name, credentials and other settings required to access share.
You are amazing!!
Do you know why Android device connecting the WiFi ask weird question beside the username and password. Question about certificate
Thanks. It is the OS, and it doesn’t pick the security requirements from the Wi-Fi.
I see mostly tutorials on how to do authentication with a domain user. Is there a tutorial or an easy way to do this with a certificate by itself? I was reading about TLS authentication, which i think would work. We've got several thousand chromebooks, and a new wifi network we're deploying. I don't really want to have to explain to everyone how to log in. I just want it to be seamless.
darthcircuit I can see where you coming from. In your case, you have to build a Wi-Fi profile and enroll each device to it.
That sounds awful. I guess we'll just stick with PSK for now lol. Thanks :)
If my radius server is not a domain controller, how do I need to create the certificate? Do I create it on the domain controller, export it, and import it on the radius server? Or do I create a certificate locally on the radius server (the only cert option is 'Computer)'?
Here is a workaround they put in place techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125.
thank you for sharing this video, how can we create the policy when mobile device user authenticates with ID and password, after admin approval they can get the access. Because when i was created SSID with AD authentication our all employee uses same on mobile devices also and it is not good our security perspective. pls help in this
Create a security group and give that group access to Wi-Fi. End users can log a service request and admins can add them to the security group on the requests basis to give Wi-Fi access.
Any one had problems getting this to work under Server 2K8 R2 with Windows 7 and/or Windows 10 clients? I believe I've followed all the steps clearly. Android mobile clients are authenticated, however my Windows clients keep asking for credentials over and over again. Any suggestions? As an FYI, none of the clients have ever joined the domain, but this is the same for the android devices. So I'm assuming I should not have any problems but I am unfortunately.
Your video is very much detailed, thanks for the efforts and energies invested to create and publish.
You need to install Certificate manually in Win 7. As you can see in the video, Win 10 received the certificate as soon as I authenticated with the credentials.
@@TekNexSolutions Hi, is this approach confirmed? Is their not a way to have the certificate presented to the user automatically? I'm working on a solution to authenticate students via the Wi-Fi, with the accounts managed in AD.
@@TekNexSolutions Much thanks for the response thus far.
So far to my knowledge this is confirmed. However, I can double check with someone who works with Server 2K8. In production (Server 2016), we have the same issue where we have to install certificate manually on Win 7 machines. Fortunately, we have few(1 in 500) machines which fall under this category. If Android devices connect to the Wi-Fi through Radius then there is nothing wrong with the set up you have.
What if your DHCP server is elsewhere ?
If I change WPA password into radius password now I not able to connecting what I should do
How to you restrict concurrent login?
so now, how do you do this with windows domain account..? and once you connect once, having to put in username/password in the wifi connection, after authenticated, do you ever have to do it again?
Device from where you connect should remember the credentials for that specific SSID. So you do not have to provide credentials everytime you connect.
What will be the Network setting in Vmware 12 if we want to deploy it physical network thorough Vmware
IMRAN AHMED how many physical network cards you have?
Only one which is set as (bridged, replicate physical connection state) on Vmware
I cannot get this to work with my Fortigate device at all.
how can your router get dhcp from the server
i was able to get it to ask for user and password, but it will not authenitcate to get wifi access :(
how can i use the same setup but without the users having to enter username and password? Basically only have provided them the certificate to authenticate.
What type of end users and devices we are looking at?
For windows client , Does this will make user can only check box use windows credential and no need to key in every time?
aun manoi users do not have to enter their password evertime. It is just one off password enter (assuming no hardware/software change)
Yes, you can check use Windows credentials. However, it would only work if the device is domain joined and logged in with user who has permissions to access Wi-Fi.
aun manoi You could use group policy for that purpose. Windows users wouldn’t need to enter their password or no need to check any box. Here is the link to video ua-cam.com/video/QSni2IP0QJM/v-deo.html
Thank you very much 😊