Wireless 802.1x for Machine Auth only using NPS

Today I had to setup wireless access for a group of PCs that were to be used in a training room where wired access was limited. The problem was that the site only had 802.1x wireless access available based upon AD user account which wouldn’t do the job here as though the people using the training PC’s would have AD accounts they wouldn’t be able to log in to the PC’s as the wireless wouldn’t kick in until after they had authenticated. To solve this problem I implemented an alternate login method for the existing wireless network that used the AD computer account to authenticate using Protected EAP-MSCHAPv2. This way the PCs connected to the wireless network before anyone logged in. It took a while to get the settings right so I figured it was worth posting.

There are plenty of posts about setting up 802.1x wireless access in an AD environment so I am not going to go into any details about that here.

There are 3 main components:

  • An AD Group containing the Computer Accounts of the PC’s in question.
  • A Group Policy to apply the relevant settings to the PC’s.
  • A Network Policy on the NPS server used to authenticate wireless access.

NOTE: After the components were in place, the PCs did need to be connected once via a wired connection to obtain the relevant settings, they would then operate wirelessly.

 

The AD Group is pretty self explanatory, just populate it with the relevant Computer Accounts.

 

The Group Policy should be linked to a relevant OU and configured to use Security Filtering to only apply to the above AD Group. Settings are as follows:

Computer Configuration – Policies – Windows Settings – Security Settings – Wireless Network (IEEE 802.11) Policies

Right click and create a new policy for Windows Vista and Later Releases

 

Enter a suitable Policy Name and Description

Click Add at the bottom

Enter a Profile Name and add the SSID of the wireless network you are connecting to. I generally make the Profile Name the same as the SSID as it is what appears as the network name on the client PC’s

Tick the box labelled “Connect automatically when this network is in range” and if the SSID is hidden (which is generally seen as a bad idea these days, refer here) tick the box labelled “Connect even if the network is not broadcasting”

Go to the Security tab at the top

Set Authentication to “WPA2-Enterprise”

Set Encryption to “AES-CCMP”

Set the network authentication method to “Microsoft: Protected EAP (PEAP)

Set the Authentication Mode to “Computer authentication”

Click the Properties button

Tick the boxes for “Verify the servers identity by validating the certificate” and “Connect to these servers” and then add in the FQDN of each of your NPS servers separated by semi colons.

In the Trusted Root Certification Authorities box, tick your CA (This should already be listed in a working NPS environment)

Change Notification before connecting to “Don’t ask user to authorize new servers or trusted CAs”

Set the Authentication Method to “Secured password (EAP-MSCHAP v2)

Tick the box labelled “Enable Fast Reconnect”

Click Configure

Remove the tick from the box labelled “Automatically use my Windows logon name and password”

OK

OK

OK

Go to the Network Permissions tab

My goal here was to tighten up security as much as possible and prevent fiddling, these settings may not be suitable for your environment.

Tick the box for “Prevent connections to ad-hoc networks”

Remove the tick for “Prevent connections to infrastructure networks”

Tick the box for “Allow user to view denied networks”

Remove the tick for “Allow everyone to create all user profiles”

Tick the box for “Only use Group Policy profiles for allowed networks”

Tick the box for “Dont allow hosted networks”

Tick the box for “Dont allow shared user credentials for network authentication”

Remove the tick for “Enable block period”

Tick the box for “Dont allow Wi-Fi Direct groups”

OK

 

Now we are ready for the NPS network policy.

On the NPS server, right click Policies – Network Policy and select New

Enter a suitable name and leave the Type of network access server as Unspecified.

Next

Add the following conditions:

Windows Group – The name of the AD Group created earlier containing the Computer Accounts

NAS Port Type – Wireless – IEEE802.11

Next

Select “Access Granted”

Next

Clear the tick boxes from the “Less secure authentication methods” section

Click Add

Select “Microsoft: Protected EAP (PEAP)”

OK

Select “Microsoft: Protected EAP (PEAP)” and click Edit

Select the relevant server certificate (This should already be listed in a working NPS environment)

Tick the box for “Enable Fast Reconnect”

Click Add

Select “Secured password (EAP-MSCHAP v2)

OK

OK

Next

Next

Select NAP Enforcement in the left pane and remove the tick from “Enable auto-remediation of client computers”

Next

Finish

Make sure the new Policy has a suitable Processing order set, in my case I had it at number 1

 

Job done!

Leave a Reply

Your email address will not be published. Required fields are marked *