Professional Documents
Culture Documents
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Contents
Using this Guide ........................................................................................................... 3
Start Services ............................................................................................................... 4
Server Certificate ......................................................................................................... 6
Add NRPS RADIUS Clients ......................................................................................... 19
Add local Access Points / Wireless Infrastructure RADIUS Clients ................................ 22
Add NRPS RADIUS Proxy Servers ............................................................................... 24
Add a Connection Request Policy for offsite users ...................................................... 29
Add a Connection Request Policy for local users ......................................................... 34
Add a Connection Request Policy for eduroam visitors ............................................... 39
Reorder Connection Request Policies ......................................................................... 42
Create Network Policy ................................................................................................ 43
Reorder Network Policies ........................................................................................... 52
Start the NPS service ...................................................................................................53
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Start Services
For NPS to authenticate users the Extensible Authentication Protocol (EAP) service must be running. To start this service, go
to Start -> Administrative Tools -> Services. Then double click on Extensible Authentication Protocol.
Start Services
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Start Services
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Server Certificate
To authenticate clients the NPS server must have a server certificate. To generate a CSR on the NPS server, go to Start ->
run and type mmc and click OK.
In the mmc console click File -> Add/Remove Snap-in. Then from the list of Available snap-ins: choose Certificates
and click Add >.
Server Certificate
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Server Certificate
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Choose Local Computer: and then click Finish. Then click OK.
Server Certificate
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In the menu on the left, under Certificates (Local Computer), right click on Certificates under Personal. Then under All
Tasks -> Advanced Operations, click Create Custom Request.
Click Next on the Certificate Enrollment page and choose Proceed without enrollment policy under Custom Request.
Then click Next.
Server Certificate
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Server Certificate
10
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
On the Certificate Information page click the Details button and click Properties.
Server Certificate
11
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Click on the Subject tab then enter the following information in the Subject name::
Server Certificate
12
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Click on the Extensions tab and then under Extended Key Usage (application policies) from the available options add
Server Authentication.
Server Certificate
13
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Click on the Private Key tab. Then under Key options choose a Key size: of 2048 and under Select Hash Algorithm
choose sha256 as the Hash Algorithm.
Server Certificate
14
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Then click OK and click Next. On the Request For Permission to Create a Key untick the Require this password whenever
using this key and click Create Key.
Server Certificate
15
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Browse to a location e.g. Desktop and save the Certificate Signing Request in Base 64 format. Click Finish.
Server Certificate
16
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Send the CSR file to your Certificate Authority for signing e.g. Janet Certificate Service. Once you receive your Certificate
from the Certificate Authority you will need to install it together with any root Certificate Authority or Intermediate
certificates.
To do this, download your server certificate to your NPS server and go back to the MMC console. Under Certificates (Local
Computer) -> Personal, right click on Certificates and under All Tasks click Import.
In the certificate import wizard click next then Browse to your server certificate file and click Next >.
Server Certificate
17
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Click Next and the certificate will be imported into the certificate store.
Server Certificate
18
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
19
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
20
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
21
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Then enter a Friendly name, Address, and Shared secret for your wireless device. Then click OK.
22
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
23
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
24
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
25
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Then click on the Load Balancing tab. Then enter the following settings:
26
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Click OK to add the server and then repeat the process for roaming1 and roaming2.
27
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
28
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In Policy name enter authenticate requests from NRPS locally, then click Next.
On the Specify Conditions page click Add the click on Client Friendly Name then click Add.
29
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In the Client Friendly Name box enter roaming.* then click OK.
Click Next then for Authenticate tick Authenticate requests on this server and click Next.
30
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
31
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
32
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
33
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In Policy name enter authenticate local users, and then click Next.
On the Specify Conditions page click Add the click on User Name then click Add.
34
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In the User Name box enter @realm$ (where realm is your organizations realm e.g. camford.ac.uk) then click OK.
Click Next then for Authenticate tick Authenticate requests on this server and click Next.
35
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
36
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
37
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
38
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
On the Specify Conditions page click Add the click on User Name then click Add.
39
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Click Next then for Authenticate tick Forward requests to the following RADIUS server group for authentication: and
select NRPS from the dropdown list.
40
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
41
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
To do this right click on a policy and then click Move up or Move down until it is in the correct position in the list.
42
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In the Policy name: box enter local authentication and then click Next.
43
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In the Specify Conditions window click Add then from the list choose Authentication Type and click Add.
From the Authentication Method list choose EAP and PEAP then click OK.
44
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Click Next then tick Access granted on the Specify Access Permission page, then click Next again.
On the Configure Authentication Methods page click Add.. and choose PEAP from the list and click OK.
45
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
In the list of EAP Types: select PEAP and click Edit. Then select the correct certificate in the Certificate issued list and
ensure Secured password (EAP-MSCHAP v2) is in the list of EAP Types. Then click OK.
46
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
On the Configure Authentication Methods page untick all Less secure authentication methods:. Then click Next.
47
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
On the Configure Constraints page click Next. Then on the Configure Settings page, under RADIUS Attributes
Standard remove Framed-Protocol PPP and Service-Type Framed from the list.
48
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Under Routing and Remote Access Encryption untick No encryption. Then click Next.
49
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
Next change the settings to ignore the dial-in properties from the Active Directory. To do this double click on the local
authentication policy.
Next, in the Access Permission area, check the box Ignore user account dial-in properties and click OK.
50
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
51
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
52
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
53