cancel
Showing results for 
Search instead for 
Did you mean: 

802.1x authentication using NPS policies- vSZ/Smartzone

Ambika-leimapok
Moderator
Moderator

Network Environment:  

  • vSZ-H version : 6.1.2.0.404
  • Windows Server 2016

Setup Procedure:

This demo explains the configuration steps to authenticate wireless clients using 802.1x- SZ/vSZ by configuring NPs policy on a Windows server.

1-Make sure if the below features are installed.

Ambikaleimapok_0-1712332717379.png

 

 

Ambikaleimapok_1-1712332717393.png

 

 

2-Navigate to the Network Policy Server tab, access NPS (local), and choose the 'Radius server for 802.1x' option for both wireless and wired connections. Finally, select 'Configure 802.1x'

Ambikaleimapok_2-1712332717400.png

 

3-In this step, select 'Secure wireless connections' and customize the policy name to your preference. In this case, append 'DEMO' at the end of the policy name.

Ambikaleimapok_3-1712332717402.png

 

Ambikaleimapok_4-1712332717404.png

 

4-In this step, you need to configure the Radius Client by providing a friendly name, entering the IP address of the vSZ IP address, and optionally setting a password or using a password generation tool. Remember to save this configuration as it will be used in Step 9.

Ambikaleimapok_5-1712332717405.png

 

5-In this step, choose 'Microsoft Protect EAP (PEAP)' as the network access method

Ambikaleimapok_6-1712332717406.png

 

6- Next, leave the remaining options at their default settings, and conclude the configuration by clicking on the 'Finish' button.

Ambikaleimapok_7-1712332717409.png

 

Ambikaleimapok_8-1712332717413.png

 

Ambikaleimapok_9-1712332717416.png

 

7-Configure the “Connection Request Policies”

To configure the connection request policy, navigate to the 'Policies' section. Then, access the 'Connection Request Policy' folder and locate the policy is created with the same name. Double-click on it to access its properties. In the 'Properties' window, navigate to the 'Conditions' tab. Remove the 'Current' condition and any others if present. Add the 'Time' condition and select 'Permit all time'. Finally, click 'Apply' and then 'OK' to save the changes.

Ambikaleimapok_10-1712332717422.png

 

Ambikaleimapok_11-1712332717424.png

 

Ambikaleimapok_12-1712332717426.png

 

Ambikaleimapok_13-1712332717429.png

 

Ambikaleimapok_14-1712332717430.png

 

Ambikaleimapok_15-1712332717431.png

 

Ambikaleimapok_16-1712332717440.png

 

8-Configure Network policies

To configure the Network Policies access to “Network Policy” folder and locate the policy is created on the folder and locate the policy is created with the same name. Double-click on it to access its properties. In the 'Properties' window for this example, I choose to ignore the user properties dial and proceed to the 'Conditions' section. Here, I add the 'User Groups' option to use the Active Directory users.

Ambikaleimapok_17-1712332717447.png

 

Ambikaleimapok_18-1712332717449.png

 

Ambikaleimapok_19-1712332717450.png

 

Ambikaleimapok_20-1712332717453.png

 

Ambikaleimapok_21-1712332717456.png

 

In this part, you have the option to either use an existing group and its users or create a new group along with its users.

Optional step

How to create a group and users

Navigate to the Active Directory of users and computers, then left-click on it. Next, select 'New,' followed by 'Group,' and proceed to fill in the required information.

Ambikaleimapok_22-1712332717474.png

 

Ambikaleimapok_23-1712332717475.png

How to create an user

Navigate to the Active Directory of users and computers, then left-click on it. Next, select 'New,' followed by 'user’, and proceed to fill in the required information (username and password ).

In this case, we need to edit the 'Member of' properties of this user. Since I want this user to belong to the earlier created 'DEMO' group, we navigate to the user's properties, specifically the 'Member of' section. Subsequently, we add the group and configure it as the primary group.

Ambikaleimapok_24-1712332717489.png

 

Ambikaleimapok_25-1712332717491.png

 

Ambikaleimapok_26-1712332717492.png

Ambikaleimapok_27-1712332717509.png

 

Ambikaleimapok_28-1712332717513.png

Continue with the network policies configuration next, we will select the desired group and proceed to the 'Constraints' tab. Here, we will add CHAP as the authentication method.

Ambikaleimapok_29-1712332717517.png

 

Ambikaleimapok_30-1712332717518.png

 

Ambikaleimapok_31-1712332717520.png

 

Ambikaleimapok_32-1712332717529.png

9-Smartzone/ Virtual Smartzone configuration

In the SZ/vSZ configuration, navigate to “Security” ->Authentication->Proxy(SZ Authenticator)/ Non-Proxy(AP Authenticator)(I am using ' Proxy(SZ Authenticator) in my example

NOTE: Proxy(SZ Authenticator)  is used when APs send authentication or accounting messages to the controller and the controller forwards these messages to an external AAA server. A non-proxy (AP Authenticator)AAA server is used when APs connect to the external AAA server directly. 

Ambikaleimapok_33-1712332717545.png

Click on “+Create “ button

Ambikaleimapok_34-1712332717559.png

Enter the NPS server details and make sure that you enter the same shared secret as you have entered in NPS server

Ambikaleimapok_35-1712332717563.png

 

10- WLAN Creation

Navigate to “Network->  Wireless LANs”and select the desire zone and click on “Create” tab . Fill in the necessary information accordingly.

Ambikaleimapok_36-1712332717568.png

 

 

 

Ambikaleimapok_37-1712332717574.png

 

 

Ambikaleimapok_38-1712332717579.png

 

Ambikaleimapok_39-1712332717583.png

 

In my demo, I used High scale hence the Realm Proxy profile must be created so that the Realm Proxy profile would show in the drop down under the Authentication Service

Ambikaleimapok_40-1712332717586.png

 

 

How the Realm Proxy profile can be created? please check the below details

Ambikaleimapok_41-1712332717592.png

 

 

Click on First Realm ->“Configure” -> Under “Service”, make sure, you select the right NPS server

Ambikaleimapok_42-1712332717597.png

 

 

 

Ambikaleimapok_43-1712332717600.png

 

11-Wireless Client

After creating the wireless network, it's important to check the connectivity. Connect to the network and when prompted, enter the credentials of the created DEMO-USER along with the corresponding password. If the credentials match, you should be able to connect to the network without any issues.

Regards,

Leimapokpam Ambika

Leimapokpam Ambika
Sr.Technical Support Engineer
CWNA | RASZA | RACPA
0 REPLIES 0