How to Use Microsoft NPS for Wireless Authentication with

a Ruckus ZoneDirector
Ive already discussed using a FreeRADIUS server for wireless authentication, so now Im going
to address using Microsoft NPS, Microsofts implementation of RADIUS. The main reason to do
this would be Active Directory integration, but other organizations may have other reasons. NPS
is bundled with all versions of Windows Server starting with Server 2008. Prior to 2008,
Windows Server used IAS, which may or may not conform to these directions.
The compony I work for sells IT support for commercial customers in addition to the Internet
services we sell. One of our customers wanted wireless services for its branch offices with three
distinct requirements:
Corporate-owned laptops should be able to access corporate data
Employees should be able to connect their own devices to the Internet, but not to access
corporate data
Guests should be able to connect to the Internet, but with limited speeds, limited available
ports, and must be forced to agree to an acceptable use policy
Im going to address solutions to the first two requirements here, and the third will be the subject
of a future post.
To meet the first requirement, we decided to use an SSID that connected to the existing data vlan
for the office. This would allow traffic through the ASA to corporate data. The first security
measure we considered was MAC address filtering. The problem with MAC address filtering is
that it is easily spoofed. Also, it would too long to roll out, as we would have to develop a
mechanism for self registration to avoid having to maintain a list of MAC addresses.
Instead, we decided to add the laptops computer accounts in Active Directory to a group and
authenticate against that group using WPA2 Enterprise and NPS. This would prevent MAC
address filtering, prevent access from corporate-owned laptops that have been reinstalled by
someone other than IT, and would mean that a list of allowed devices would be more or less
automatically maintained.
The second requirement had a similar solution: WPA2 Enterprise authenticating against the
Domain Users group in NPS. This SSID would connect to a guest VLAN allowing access to the
Internet and no other resources.
This is how we configured our Ruckus ZoneDirector to meet these requirements.
Note: We were not able to get this to work while also using NPS to authenticate for admin logins
on the web interface. To get around this, we used a second NPS server for wireless
authentication.
Configure NPS to Allow Wireless Access
Since the ZoneDirector does all of the communication with the NPS server, it is the only device
that needs to be added as a RADIUS client in NPS. To do this, RDP into the NPS server.
Start -> All Programs -> Administrative Tools -> Network Policy Server
o Expand RADIUS Clients and Servers
o Right-click RADIUS clients
o New RADIUS Client
Enable this RADIUS client = checked
Friendly name = ZoneDirector
Address = 69.176.152.227
Vendor name = RADIUS Standard
Click the radio button next to Manual
Shared secret = <secret>
OK
While still in NPS, create the Connection Request Policies. First, a policy for the ZoneDirector
itself:
Expand Policies
Right-click Connection Request Policies
New
o Overview
Policy name = CR-ZoneDirector
Policy enabled = checked
Type of network access server = Unspecified
o Conditions
Add
NAS Port Type
Wireless IEEE 802.11
Add
Client Friendly Name = Zone*
o OK
Next, a policy for the Corporate SSID.
Expand Policies
Right-click Connection Request Policies
New
o Overview
Policy name = CR-Corp
Policy enabled = checked
Type of network access server = Unspecified
o Conditions
Add
NAS Port Type
Wireless IEEE 802.11
o OK
Finally, a policy for the BYOD SSID.
Expand Policies
Right-click Connection Request Policies
New
o Policy name = CR-BYOD
o Policy enabled = checked
o Type of network access server = Unspecified
o Conditions
o Add
NAS Port Type
Wireless IEEE 802.11
o OK
Now, the Network Policies need to be created. This is the most involved and probably the most
confusing part, as it requires vendor-specific options. Still in NPS, create the Corporate SSID
Network Policy:
Expand Policies
Right-click Network Policies
New
Overview
o Policy name = NP-Corp
o Policy enabled = checked
o Access Permission = Grant access, Ignore user account dial-in properties.
o Type of network access server = Unspecified
Conditions
o Add
o Machine Groups
o Add Groups
o Domain Computers
o Add
o NAS Port Type
o Wireless IEEE 802.11 OR Wireless Other
o OK
Settings
o Standard
Add
Framed-Protocol
Commonly used for Dial-up or VPN = PPP
OK
Add
Service-Type
Commonly used for Dial-Up or VPN = Framed
OK
o Vendor Specific
Add
Enter Vendor Code = 25053
Yes. It conforms.
Configure Attribute
Vendor-assigned attribute number = 1
Attribute format = String
Attribute value = Corp
OK
OK
o OK
Next, create the Network Policy for the BYOD SSID:
Expand Policies
Right-click Network Policies
New
Overview
o Policy name = NP-BYOD
o Policy enabled = checked
o Access Permission = Grant access, Ignore user account dial-in properties.
o Type of network access server = Unspecified
Conditions
o Add
o User Groups
o Add Groups
o Domain Users
o Add
o NAS Port Type
o Wireless IEEE 802.11 OR Wireless Other
o OK
Settings
o Standard
Add
Framed-Protocol
Commonly used for Dial-up or VPN = PPP
OK
Add
Service-Type
Commonly used for Dial-Up or VPN = Framed
OK
o Vendor Specific
Add
Enter Vendor Code = 25053
Yes. It conforms.
Configure Attribute
Vendor-assigned attribute number = 1
Attribute format = String
Attribute value = BYOD
OK
OK
o OK
NOTE: I use Domain Computers and Domain Users as the Active Directory groups to
authenticate against as examples, but in the real world, I was more granular in which users and
devices I allowed through.
Configure ZoneDirector
Now that NPS is all set up, its time to get the ZoneDirector ready to use the new policies. First,
the NPS server needs to be added as a RADIUS server:
Configure -> AAA Servers
o Create New
Name = NPS.radius
Type = RADIUS
Auth Method = PAP
IP Address = <NPS IP address>
Port = 1812
Shared Secret = <secret>
OK
o Create New
Name = NPS.radiusacct
Type = RADIUS Accounting
IP Address = <NPS IP address>
Port = 1813
Shared Secret = <secret>
OK
Test the server using the form at the bottom of the page. A success message should show up and
assign the user the role of Default. This is normal. We still need to configure roles to use the
Corp or BYOD tags that the Network Policy hands back with the Access-Accept:
Configure -> Roles
o Create New
Name = Corp
Description = AD Machine authentication for Corp
Group Attributes = Corp
Allow All WLANs = Specify WLAN access
WLANs = <name of corporate WLAN>
OK
Configure -> Roles
o Create New
Name = BYOD
Description = AD User authentication for BYOD access
Group Attributes = BYOD
Allow All WLANs = Specify WLAN access
WLANs = <name of BYOD WLAN>
OK
Once again, try a user on the test form on the AAA server. Assuming the user is a member of
Domain Users (or whatever group was used for the BYOD Network Policy), it should now be
assigned a role of BYOD. Now on to configuring the WLANs:
Configure -> WLANs
o Create New
Name = Corporate Devices (Call this whatever you want)
Type = Standard Usage
Authentication Method = 802.1x/EAP
Encryption Method = WPA2
Encryption Algorithm = AES
Authentication Server = NPS.radius
Advanced Options
Accounting Server = NPS.radiusacct
o Create New
Name = Employee Devices (Again, call this whatever you want)
Type = Standard Usage
Authentication Method = 802.1x/EAP
Encryption Method = WPA2
Encryption Algorithm = AES
Authentication Server = NPS.radius
Advanced Options
Accounting Server = NPS.radiusacct
Attach VLAN tag = <BYOD VLAN ID> (make sure the box next to
attach is checked)
NOTE: All other WLAN settings can be set according to your desires and/or business needs.
Thats it. Just make sure routing is set up for the BYOD VLAN, and you should be in business.