So, last week I posted a YouTube video on how to setup and test a RADIUS server. Now, I will be showing you how to setup a RADIUS server to authenticate WIFI users. For my scenario, only Domain users and registered machines are allowed to connect to the office’s WIFI. That means that any mobile phones will not be able to connect to the internal network.
In order to do this, I first created a RADIUS server and certificate in which it will be installed in all of the registered machines. I used the following YouTube video to help me do this. Note: if you have already setup a DHCP and so on, you can fast forward to 10:52 where he shows you how to create the Domain group, certificate, and how to setup the RADIUS server.
Now, in order to allow only certain machines to connect to the WIFI, I added a few conditions to the network policy:
- Called-ID: SSID$ [SSID means the name of the SSID that you want to have the policy configured in. For example, if you have an SSID that is named RDS, you will put RDS$ in the Called-ID field]
- Calling-ID: ^MAC-Address-1$|^MAC-Address-2$|… [here is where you put all of the registered machines’ MAC addresses. Remember to use ‘-‘ instead of the default format of ‘:’ in between each two characters. Also, add ^ in the beginning and $| at the end of the address if you are entering multiple MAC addresses. Note: there is a 256 character limit.]
Next, I need to register the MAC addresses to the individual user. We can assume that each employee is only assigned to one laptop.
- Go to Active Directory Users and Computers
- Navigate to the user > right click and click Properties
- Go to the “Dial-In” tab > select “Control access through NPS Network Policy” > check the “Verify Caller-ID:” option > enter the machine’s MAC address that is associated to the employee (remember to use ‘-‘ instead of ‘:’ and all uppercase letter)
- Click Apply
What if the MAC Addresses exceed the 256 character limit? What if one employee uses multiple machines? No need to worry, there are ways around these problems!
Problem: You have more MAC address than the 256 character limit.
Solution: Export the NPS configuration file as a .xml, edit the file using Notepad, Notepad++, or any word/XML editor, and copy all of the MAC Address (using the same format as above) to the “Calling-Station-Id” section of the file. Once you have done so, save the file and import it back to your NPS.
Tip: To import/export the configuration file, go to the NPS console in the server, select on NPS, then go to Action on the top bar and click Import/Export Configuration.
Problem: An employee is assigned to multiple machines.
Solution: Go to ADSI Edit, navigate to the user, right click and click Properties, then enter all of the MAC addresses assigned to the user in the “msNPCallingStationID” and “msNPSavedCallingStationID” fields. Remember to use ‘-‘ in between each two characters.
And voila! Now you have a RADIUS that will authenticate a Domain user and his/her machine! In the next post, I will show you a quick tutorial on how to integrate the RADIUS server to the AP.