Eduroam (UK) Microsoft NPS Configuration Guide v0.1

eduroam(UK) Microsoft NPS Configuration Guide v0.
eduroam(UK)
Microsoft NPS Configuration Guide v0.1
eduroam(UK)
Contents
Using this Guide ........................................................................................................... 3
Start Services ............................................................................................................... 4
Server Certificate ......................................................................................................... 6
Add NRPS RADIUS Clients ......................................................................................... 19
Add local Access Points / Wireless Infrastructure RADIUS Clients ................................ 22
Add NRPS RADIUS Proxy Servers ............................................................................... 24
Add a Connection Request Policy for offsite users ...................................................... 29
Add a Connection Request Policy for local users ......................................................... 34
Add a Connection Request Policy for eduroam visitors ............................................... 39
Reorder Connection Request Policies ......................................................................... 42
Create Network Policy ................................................................................................ 43
Reorder Network Policies ........................................................................................... 52
Start the NPS service ...................................................................................................53
Using this Guide
eduroam(UK)
Using this Guide

This guide describes the setup of the Microsoft Network Policy Server for use with eduroam in the UK. Whilst it is the key
component, the Organisational RADIUS Server (ORPS) is just one element of your eduroam deployment and this guide
must be read in conjunction with:
i) Implementing eduroam Roadmap https://community.ja.net/library/janet-services-documentation/implementingeduroam-roadmap
and
ii) the eduroam(UK) Technical Specification https://community.ja.net/library/janet-services-documentation/eduroamuktechnical-specification
There are also additional technical reference documents and advisory notices published in the Janet Community Library web
site which the eduroam sys admin should familiarise him or herself with.
This guide does not cover support for additional non-eduroam VLANs and dynamic assignment of users to such VLANs,
which you may wish to implement for the support of your local users connecting with their own devices or for connecting
your local users to VLANs giving access to restricted resources. In addition, this guide does not cover Attribute filtering,
which is covered in https://community.ja.net/library/janet-services-documentation/radius-attribute-filtering-microsoftias-and-nps
Using this Guide
eduroam(UK)
Start Services
For NPS to authenticate users the Extensible Authentication Protocol (EAP) service must be running. To start this service, go
to Start -> Administrative Tools -> Services. Then double click on Extensible Authentication Protocol.
Change the Startup type to Automatic and then click Apply.
Then click Start to start the service followed by OK.
Start Services
eduroam(UK)
Start Services
eduroam(UK)
Server Certificate
To authenticate clients the NPS server must have a server certificate. To generate a CSR on the NPS server, go to Start ->
run and type mmc and click OK.
In the mmc console click File -> Add/Remove Snap-in. Then from the list of Available snap-ins: choose Certificates
and click Add >.
Server Certificate
eduroam(UK)
Choose Computer account and click Next.
Server Certificate
eduroam(UK)
Choose Local Computer: and then click Finish. Then click OK.
Server Certificate
eduroam(UK)
In the menu on the left, under Certificates (Local Computer), right click on Certificates under Personal. Then under All
Tasks -> Advanced Operations, click Create Custom Request.
Click Next on the Certificate Enrollment page and choose Proceed without enrollment policy under Custom Request.
Then click Next.
Server Certificate
eduroam(UK)
Choose PKCS #10 as the Request format and click Next.
Server Certificate
10
eduroam(UK)
On the Certificate Information page click the Details button and click Properties.
Enter a Friendly name: for the certificate e.g. nps certificate.
Server Certificate
11
eduroam(UK)
Click on the Subject tab then enter the following information in the Subject name::
Common name (the server name) e.g. radius.camford.ac.uk

Country GB
Email (a contact email address) e.g. it@camford.ac.uk
Locality (town / city) e.g. Camford
Organization (Institution Name) e.g. Camford University
State (County) e.g. Camfordshire
Server Certificate
12
eduroam(UK)
Click on the Extensions tab and then under Extended Key Usage (application policies) from the available options add
Server Authentication.
Server Certificate
13
eduroam(UK)
Click on the Private Key tab. Then under Key options choose a Key size: of 2048 and under Select Hash Algorithm
choose sha256 as the Hash Algorithm.
Server Certificate
14
eduroam(UK)
Then click OK and click Next. On the Request For Permission to Create a Key untick the Require this password whenever
using this key and click Create Key.
Server Certificate
15
eduroam(UK)
Browse to a location e.g. Desktop and save the Certificate Signing Request in Base 64 format. Click Finish.
Server Certificate
16
eduroam(UK)
Send the CSR file to your Certificate Authority for signing e.g. Janet Certificate Service. Once you receive your Certificate
from the Certificate Authority you will need to install it together with any root Certificate Authority or Intermediate
certificates.
To do this, download your server certificate to your NPS server and go back to the MMC console. Under Certificates (Local
Computer) -> Personal, right click on Certificates and under All Tasks click Import.
In the certificate import wizard click next then Browse to your server certificate file and click Next >.
Server Certificate
17
eduroam(UK)
Click Next and the certificate will be imported into the certificate store.
Repeat this procedure for any root or intermediate certificates.
Server Certificate
18
eduroam(UK)
Add NRPS RADIUS Clients

To receive incoming RADIUS requests from the NRPS servers they must be added to the NPS server as RADIUS Clients. To
do this, in Network Policy Server under RADIUS Clients and Servers, right click on RADIUS Clients and click New
Then enter the following settings:
Friendly name roaming0

Address roaming0.ja.net
Shared secret (obtain from support.roaming.ja.net)
19
eduroam(UK)
Repeat this procedure to add roaming1 and roaming2.
20
eduroam(UK)
21
eduroam(UK)
Add local Access Points / Wireless Infrastructure

RADIUS Clients
To receive incoming RADIUS requests from the wireless infrastructure, access points / controllers must be added to the NPS
server as RADIUS Clients. To do this, in Network Policy Server under RADIUS Clients and Servers, right click on RADIUS
Clients and click New
Then enter a Friendly name, Address, and Shared secret for your wireless device. Then click OK.
Add local Access Points / Wireless Infrastructure RADIUS Clients
22
eduroam(UK)
Add local Access Points / Wireless Infrastructure RADIUS Clients
23
eduroam(UK)
Add NRPS RADIUS Proxy Servers

To be able to proxy visitor authentications to the NRPS, RADIUS Servers need to be added to the configuration. To do this,
in Network Policy Server under RADIUS Clients and Servers, right click on Remote RADIUS Server Groups and click New
For the Group name enter NRPS then click Add.
In Server enter roaming0.ja.net then click the Authentication/Accounting tab.
24
eduroam(UK)
Enter the following settings:
Shared secret (obtained from support.roaming.ja.net)

Request must contain the message authenticator attribute Ticked
Forward network access server start and stop notifications to this server Unticked
25
eduroam(UK)
Then click on the Load Balancing tab. Then enter the following settings:
Priority a number between 1 and 3

o Choose a random priority for the 3 NRPS
Weight 33
Number of seconds without a response before request is considered dropped 30
26
eduroam(UK)
Click OK to add the server and then repeat the process for roaming1 and roaming2.
27
eduroam(UK)
28
eduroam(UK)
Add a Connection Request Policy for offsite users

ie add a connection request policy for authentications incoming from NRPS
Authentication requests coming from the NRPS servers should always be handle by the ORPS. Therefore a policy should be
added to authenticate requests coming from the NRPS locally. To do this, in Network Policy Server under Policies, right
click on Connection Request Policies and click New.
In Policy name enter authenticate requests from NRPS locally, then click Next.
On the Specify Conditions page click Add the click on Client Friendly Name then click Add.
29
eduroam(UK)
In the Client Friendly Name box enter roaming.* then click OK.
Click Next then for Authenticate tick Authenticate requests on this server and click Next.
30
eduroam(UK)
Do not set an override just click Next.
31
eduroam(UK)
Click Next on the Configure Settings screen.
32
eduroam(UK)
Click Finish on the final screen.
33
eduroam(UK)
Add a Connection Request Policy for local users

To authenticate local users a policy needs to be created. To do this, in Network Policy Server under Policies, right click on
Connection Request Policies and click New.
In Policy name enter authenticate local users, and then click Next.
On the Specify Conditions page click Add the click on User Name then click Add.
34
eduroam(UK)
In the User Name box enter @realm$ (where realm is your organizations realm e.g. camford.ac.uk) then click OK.
Click Next then for Authenticate tick Authenticate requests on this server and click Next.
35
eduroam(UK)
Do not set an override just click Next.
36
eduroam(UK)
Click Next on the Configure Settings screen.
37
eduroam(UK)
Click Finish on the final screen.
38
eduroam(UK)
Add a Connection Request Policy for eduroam visitors

To proxy visitor authentications to the NRPS a policy needs to be created. To do this, in Network Policy Server under
Policies, right click on Connection Request Policies and click New.
In Policy name enter proxy to eduroam, then click Next.
On the Specify Conditions page click Add the click on User Name then click Add.
39
eduroam(UK)
In the User Name box enter @{1}[-a-zA-Z0-9_]+(\.[-a-zA-Z0-9_]+)+$ then click OK.
Click Next then for Authenticate tick Forward requests to the following RADIUS server group for authentication: and
select NRPS from the dropdown list.
40
eduroam(UK)
Click Next then click Finish.
41
eduroam(UK)
Reorder Connection Request Policies

To ensure that local requests are processed first before proxying to eduroam, reorder the list into the following order:
1.
2.
3.
authenticate requests from NRPS locally

authenticate local users
proxy to eduroam
To do this right click on a policy and then click Move up or Move down until it is in the correct position in the list.
Reorder Connection Request Policies
42
eduroam(UK)
Create Network Policy

To authenticate users on the server a Network Policy needs to be created. To do this, in Network Policy Server under
Policies, right click on Network Policies and click New.
In the Policy name: box enter local authentication and then click Next.
43
eduroam(UK)
In the Specify Conditions window click Add then from the list choose Authentication Type and click Add.
From the Authentication Method list choose EAP and PEAP then click OK.
44
eduroam(UK)
Click Next then tick Access granted on the Specify Access Permission page, then click Next again.
On the Configure Authentication Methods page click Add.. and choose PEAP from the list and click OK.
45
eduroam(UK)
In the list of EAP Types: select PEAP and click Edit. Then select the correct certificate in the Certificate issued list and
ensure Secured password (EAP-MSCHAP v2) is in the list of EAP Types. Then click OK.
46
eduroam(UK)
On the Configure Authentication Methods page untick all Less secure authentication methods:. Then click Next.
47
eduroam(UK)
On the Configure Constraints page click Next. Then on the Configure Settings page, under RADIUS Attributes
Standard remove Framed-Protocol PPP and Service-Type Framed from the list.
48
eduroam(UK)
Under Routing and Remote Access Encryption untick No encryption. Then click Next.
Then click Finish on the Completing New Network Policy page.
49
eduroam(UK)
Next change the settings to ignore the dial-in properties from the Active Directory. To do this double click on the local
authentication policy.
Next, in the Access Permission area, check the box Ignore user account dial-in properties and click OK.
50
eduroam(UK)
51
eduroam(UK)
Reorder Network Policies

To ensure that local authentication is processed first, reorder the list so that local authentication is first. To do this right click
on a policy and then click Move up or Move down until it is in the correct position in the list.
Reorder Network Policies
52
eduroam(UK)
Start the NPS service

Finally ensure the NPS service is running. To do this right click on NPS (Local) and click Start (if the service isnt already
running).
Start the NPS service
53

Eduroam (UK) Microsoft NPS Configuration Guide v0.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eduroam (UK) Microsoft NPS Configuration Guide v0.1

Uploaded by

Copyright:

Available Formats

eduroam(UK) Microsoft NPS Configuration Guide v0.

Using this Guide

Using this Guide

Using this Guide

Change the Startup type to Automatic and then click Apply.

Then click Start to start the service followed by OK.

Choose Computer account and click Next.

Choose PKCS #10 as the Request format and click Next.

Enter a Friendly name: for the certificate e.g. nps certificate.

Common name (the server name) e.g. radius.camford.ac.uk

Repeat this procedure for any root or intermediate certificates.

Add NRPS RADIUS Clients

Then enter the following settings:

Friendly name roaming0

Add NRPS RADIUS Clients

Repeat this procedure to add roaming1 and roaming2.

Add NRPS RADIUS Clients

Add NRPS RADIUS Clients

Add local Access Points / Wireless Infrastructure

Add local Access Points / Wireless Infrastructure RADIUS Clients

Add local Access Points / Wireless Infrastructure RADIUS Clients

Add NRPS RADIUS Proxy Servers

For the Group name enter NRPS then click Add.

In Server enter roaming0.ja.net then click the Authentication/Accounting tab.

Add NRPS RADIUS Proxy Servers

Enter the following settings:

Shared secret (obtained from support.roaming.ja.net)

Add NRPS RADIUS Proxy Servers

Priority a number between 1 and 3

Add NRPS RADIUS Proxy Servers

Add NRPS RADIUS Proxy Servers

Add NRPS RADIUS Proxy Servers

Add a Connection Request Policy for offsite users

Add a Connection Request Policy for offsite users

Add a Connection Request Policy for offsite users

Do not set an override just click Next.

Add a Connection Request Policy for offsite users

Click Next on the Configure Settings screen.

Add a Connection Request Policy for offsite users

Click Finish on the final screen.

Add a Connection Request Policy for offsite users

Add a Connection Request Policy for local users

Add a Connection Request Policy for local users

Add a Connection Request Policy for local users

Do not set an override just click Next.

Add a Connection Request Policy for local users

Click Next on the Configure Settings screen.

Add a Connection Request Policy for local users

Click Finish on the final screen.

Add a Connection Request Policy for local users

Add a Connection Request Policy for eduroam visitors

In Policy name enter proxy to eduroam, then click Next.

Add a Connection Request Policy for eduroam visitors

In the User Name box enter @{1}[-a-zA-Z0-9_]+(\.[-a-zA-Z0-9_]+)+$ then click OK.

Add a Connection Request Policy for eduroam visitors

Click Next then click Finish.

Add a Connection Request Policy for eduroam visitors

Reorder Connection Request Policies

authenticate requests from NRPS locally

Reorder Connection Request Policies

Create Network Policy

Create Network Policy

Create Network Policy