Chapters. Prerequisites: Eduroam in a Microsoft Windows 2008r2 environment.



Similar documents
Configuring User Identification via Active Directory

How to Configure Active Directory based User Authentication

Configuring Global Protect SSL VPN with a user-defined port

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Belnet Networking Conference 2013

Using Windows NPS as RADIUS in eduroam

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

Remote Access Technical Guide To Setting up RADIUS

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

How to Configure Web Authentication on a ProCurve Switch

IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

User Guide for eduroam

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Juniper SSL VPN Authentication QUICKStart Guide

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Network Security Solutions Implementing Network Access Control (NAC)

Application Note User Groups

Strong Authentication for Juniper Networks SSL VPN

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

VLANs. Application Note

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

Security. TestOut Modules

Interlink Networks Secure.XS and Cisco Wireless Deployment Guide

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Configuring Wired 802.1x Authentication on Windows Server 2012

Microsoft Windows Server 2008: MS-6435 Designing Network and Applications Infrastructure MCITP 6435

IP Filtering for Patton RAS Products

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Configure WorkGroup Bridge on the WAP131 Access Point

nexvortex Setup Guide

Running eduroam on NPS with Windows 2008 R2 Enterprise

7.1. Remote Access Connection

Security Provider Integration Kerberos Authentication

Immotec Systems, Inc. SQL Server 2005 Installation Document

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

netld External Authentication Setup Guide

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

RWL Tech Note Wireless 802.1x Authentication with Windows NPS

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

A Guide to New Features in Propalms OneGate 4.0

On-boarding and Provisioning with Cisco Identity Services Engine

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

SIP Trunking using the EdgeMarc Network Services Gateway and the Mitel 3300 ICP IP-PBX

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

F-SECURE MESSAGING SECURITY GATEWAY

AVG Business SSO Connecting to Active Directory

Palo Alto Networks User-ID Services. Unified Visitor Management

Configuring a Windows 2003 Server for IAS

Configuring Sponsor Authentication

Configure your firewall for administrative access via RADIUS authentication

How to configure MAC authentication on a ProCurve switch

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

govroam Web Interface User Guide

Optimum Business SIP Trunk Set-up Guide

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

FAQs: MATRIX NAVAN CNX200. Q: How to configure port triggering?

Brocade Certified Layer 4-7 Professional Version: Demo. Page <<1/8>>

How-to: HTTP-Proxy and Radius Authentication and Windows IAS Server settings. Securepoint Security System Version 2007nx

Configuration Guide BES12. Version 12.3

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

SINGLE COURSE. 136 Total Hours. After completing this course, students will be able to:

How to connect to the diamonds wireless network with Vista.

nexvortex Setup Guide

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

How To Check If Your Router Is Working Properly On A Nr854T Router (Wnr854) On A Pc Or Mac) On Your Computer Or Ipad (Netbook) On An Ipad Or Ipa (Networking

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

BlackShield ID Agent for Remote Web Workplace

Lesson Plans Managing a Windows 2003 Network Infrastructure

Cisco IT Validates Rigorous Identity and Policy Enforcement in Its Own Wired and Wireless Networks

Strong Authentication for Juniper Networks

CLEO NED Active Directory Integration. Version 1.2.0

Chapter 6 Using Network Monitoring Tools

MS Configuring Windows 8.1

Chapter 4 Managing Your Network

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Wireless Network Configuration Guide

Vantage RADIUS 50. Quick Start Guide Version 1.0 3/2005

Next Generation Network Firewall

Wi- Fi settings for Windows XP

vwlan External RADIUS 802.1x Authentication

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

NPS Knowledge Transfer document:

Administering Windows Server 2012

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

GlobalSCAPE DMZ Gateway, v1. User Guide

FortiGate RADIUS Single Sign-On (RSSO) with Windows Server 2008 Network Policy Server (NPS) VERSION 5.2.3

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Designing and Implementing a Server Infrastructure MOC 20413

Multi-factor Authentication using Radius

Transcription:

Eduroam in a Microsoft Windows 2008r2 environment. This guide will help with the deployment of eduroam in a Microsoft Windows 2008r2 only environment. We will briefly note the prerequisites for a successful deployment. It is required to have basic knowledge of Active Directory, Radius and 802.1X technologies. In April 2013 we deployed eduroam at Onderwijsgroep Noord. Onderwijsgroep Noord is an umbrella organization which consists of AOC Terra, Dollard College and rsg de Borgen. We provide education to 11.000 scholars at 24 locations. Chapters Eduroam in a Microsoft Windows 2008r2 environment.... 1 Prerequisites:... 1 Active Directory... 2 Radius configuration... 2 Connection Request Policy... 3 Network Policy... 5 Sources... 7 Prerequisites: Working Active Directory environment at 2008r2 functional level. Check this with Active Directory Domains and Trusts DNS resolvable User Principal Name suffix. This is required prerequisite for a successful and manageable deployment. In the next chapter I will explain how this can be achieved without renaming your Active Directory Domain. Working Radius server. Radius is part of the Network Policy and Access Services server role. Wireless network with support for multiple SSIDs and VLANs per radio. This way you can support separated wireless networks for example eduroam, guest, voice, students and employees. The network at Onderwijsgroep Noord consists of Hewlett Packard MSM422 access points and Hewlett Packard MSM765 controllers. It is required that the access points or the controller put the SSID in the Radius Request so the Radius server can differentiate between the SSIDs. I will come to this later Firewall rules for inbound and outbound traffic between your local radius server and your national upstream radius server. You only need to allow traffic on UDP port 1812 between these two servers. SSL certificate for signing the PEAP sessions. This certificate should be installed on all Radius Servers en should contain the Fully Qualified Domain Names of the Radius Servers. This

certificate needs to be selected in all policy s which define a PEAP authentication method. Self-Signed certificate could be used but is not recommended. Active Directory For authenticating of users for eduroam the radius servers which are part of the eduroam network need to know where to send the Access Request Packets. Part of this system are special NAPRT records. These records are added to your external DNS zones as hints for the radius servers. Ask your national eduroam provider for the exact syntax. For these NAPTR records to work you have to make sure that login names consist of a username part and a domain part. This can be achieved by using the User Principal Name (UPN) in your Active Directory Domain. By default the UPN suffix is the same as your Active Directory Domain Name. If this name is resolvable on the internet you are ready to go to the next chapter. If you use a non-resolvable Active Directory Domain Name then it is possible to add additional UPN Suffixes to your domain. This way you don t have to rename your domain for eduroam to work. For easy adoption by users I have chosen to make the User Principal Name the same as the e-mail address. How do you do this? Open Active Directory Domains and Trusts Right click Active Directory Domains and Trusts en open Properties Here you can add additional UPN Suffixes. At the account information of a user you can change the User Principal Name. Please note that a user can have only one UPN. So if you already use the current UPN you are in for some extra work. Radius configuration I presume that you have a working configuration and your current Access Points are already using Radius for authenticating clients. We need to make some extra policy s for eduroam. If you have multiple Radius servers, which is advised, you need to make the following settings on all radius server.

Create a shared secret template so it can be referred to by the other policy s. This way you have one place where to put and eventually update the shared secret. Create Radius Clients for the national eduroam servers with whom you are about to connect. Use the previously created shared secret template as shared secret. Create a Remote Radius Server Group. Add the national eduroam servers to this group. As shared secret you can use the previously created shared secret template again. The other options can be left alone. Connection Request Policy Create four Connection Request Policy s 1. The first policy is for authentication requests from your national eduroam provider. Put your national eduroam providers ip addresses as a condition. Below you can see the condition and settings I have made in this policy. Examples for regular expressions used in conditions can be found here: http://technet.microsoft.com/en-us/library/cc755272(v=ws.10).aspx 2. The second policy authenticates your own users when they are using eduroam at your site. This way you don t send unnecessary requests to your national eduroam provider. To keep the requests local you need to add a User Name Condition. You have to escape the dots en separate different domain with a pipe symbol. Also you have to add conditions to make sure this policy only applies to request for access to the eduroam SSID. Most Access Points can put the SSID in the Called Station ID field. At last you need to set the authentication method. For eduroam this is set to PEAP with MSCHAPv2 inside. Check if the right certificate is selected at the authentication method.

3. The third connection request policy forwards requests for access to your wireless network from external users to your national eduroam provider. As authentication provider you select Forward request to the following Remote Radius Server Group. Select the group you created earlier. The User Name condition makes sure that only usernames with a realm are forwarded to the national eduroam provider. Some eduroam Identity Providers return VLAN information in their radius Accept Messages. This information can collide with your own VLAN settings. If you have a fixed VLAN configuration you should erase this information in these Radius Accept messages. As Radius from Microsoft can t erase this information, we reset it to values our equipment can understand. These are settings like Tunnel-Medium-Type, Tunnel-Pvt-group-ID and Tunnel-Type.

4. The last policy takes care of users who have forgotten to supply an UPN-Suffix. These users are denied access. Network Policy Finally you need to create two Network policies. In these policies you define which of your local users may use eduroam. 1. The first Network Policy defines which local users can use eduroam at external locations. As condition you define your national eduroam provider, using Client IPv4 Address and group or groups with users who may use eduroam remotely. In most cases you use the same user groups for both policies.

2. The second Network Policy to create, is a policy to define which local users can use eduroam at your location. As condition you define the SSID and User Group for which this policy counts. 3. The last Network Policy deny access to all users who did not meet the previous Network Policy s. This should be your last Policy concerning Wireless access.

Sources Configuring Microsoft NPS for eduroam-us By Derek O'Flynn at LSUHSC https://www.eduroam.us/node/25 Configuring Microsoft NPS for eduroam-us by James Macdonell at CSU San Bernardino http://iso.csusb.edu/practices/eduroam-radius-configuration With the help of Robert Klein at Kennisnet I have deployed eduroam at our educational institute

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information