Installing Windows Server Update Services on Windows Server 2008 R2

Hi!

Along with its abundant features, Windows Server provides an awesome feat – Windows Server Update Services (WSUS), which allows system administrators to manage and deploy product updates on any Windows running machine in the organization.

There is a great YouTube video that shows how to install and configure WSUS on your Windows Server:

There is another great YouTube video to watch if you are trying to install WSUS on Windows Server 2012 R2:

It is not recommended to install WSUS on your domain controller. Also, if you are going to install it on a virtual machine, ensure that there is enough disk space. Take it from me, I installed WSUS on our SpiceWorks server and it is running really slow.

The videos above pretty much covered the topic on how to install and configure WSUS on a Windows Server, but I am going to do a quick step-by-step of the group policy I created in order for the WSUS to detect all the machines in the organization and have the updates running on each machine.

Scenario:

MASRV: Domain Controller

ASSET: WSUS Server

MALTP50: Client

Tutorial:

•  MASRV: Configure the Group Policy settings for WSUS
  • Server Manager > Tools > Group Policy Management > right click on domain and click “Create a GPO in this domain, and Link it here..” > name it WSUS
  • Right click on WSUS > Edit > Computer Configuration > Policies > Administration Templates > Windows Components > Windows Updates
    • Double click “Configure Automatic Updates” > select Enable > click OK
    • Double click “Specify intranet Microsoft update service location” > select Enable
      • Set the intranet update service for detecting udpates: http://ASSET (since I have it on the default port, I do not need to specify the port – another option is to have SSL running, which will be on port 8530)
      • Set the intranet statistic server: http://ASSET
  • Go to cmd > gpupdate /force
• ASSET : Update policy from MASRV
  • Go to cmd > gpupdate /force
• MALPTP50: Update policy from MASRV and check update
  • Go to cmd > gpupdate /force
  • Go to Control Panel > Windows Update > Check for updates

Once you have forced the Group Policy, you should receive update notifications on each machine and WSUS should detect the machines within the organization.

 

Integrating RADIUS Server to Ubiquiti UniFi

Hi!

You have your RADIUS server configured – now what?  Now, it is time to ingrate the RADIUS server to your Access Point! Since we use Ubiquiti Unifi as the AP in our office, I will be showing you how to connect the RADIUS server to the AP. Note that a lot of APs are configured in a similar way; the main difference is the interface of the web console for each brand.

1. Open the UniFi web console on your browser
2. Go to Settings > Wireless Networks
3. Click “Edit” on the SSID that you want to integrate the RADIUS server with (mine will be MA-Lab)
4. Choose WPA Enterprise in the Security section
5. Enter the IP Address, Port Number and the Shared Secret of the RADIUS server. Note: you should have configured the shared secret when configuring the Radius Client in the NPS.
6. Click Save

And tada! Now your employees are able to connect to the WIFI only on their work machine!

Windows 2008 R2 RADIUS Server Configuration (Part 2)

Hi!

So, last week I posted a YouTube video on how to setup and test a RADIUS server. Now, I will be showing you how to setup a RADIUS server to authenticate WIFI users. For my scenario, only Domain users and registered machines are allowed to connect to the office’s WIFI. That means that any mobile phones will not be able to connect to the internal network.

In order to do this, I first created a RADIUS server and certificate in which it will be installed in all of the registered machines. I used the following YouTube video to help me do this. Note: if you have already setup a DHCP and so on, you can fast forward to 10:52 where he shows you how to create the Domain group, certificate, and how to setup the RADIUS server.

Now, in order to allow only certain machines to connect to the WIFI, I added a few conditions to the network policy:

• Called-ID: SSID$ [SSID means the name of the SSID that you want to have the policy configured in. For example, if you have an SSID that is named RDS, you will put RDS$ in the Called-ID field]
• Calling-ID: ^MAC-Address-1$|^MAC-Address-2$|… [here is where you put all of the registered machines’ MAC addresses. Remember to use ‘-‘ instead of the default format of ‘:’ in between each two characters. Also, add ^ in the beginning and $| at the end of the address if you are entering multiple MAC addresses. Note: there is a 256 character limit.]

Next, I need to register the MAC addresses to the individual user. We can assume that each employee is only assigned to one laptop.

1. Go to Active Directory Users and Computers
2. Navigate to the user > right click and click Properties
3. Go to the “Dial-In” tab > select “Control access through NPS Network Policy” > check the “Verify Caller-ID:” option > enter the machine’s MAC address that is associated to the employee (remember to use ‘-‘ instead of ‘:’ and all uppercase letter)
4. Click Apply

What if the MAC Addresses exceed the 256 character limit? What if one employee uses multiple machines? No need to worry, there are ways around these problems!

Problem: You have more MAC address than the 256 character limit.
Solution: Export the NPS configuration file as a .xml, edit the file using Notepad, Notepad++, or any word/XML editor, and copy all of the MAC Address (using the same format as above) to the “Calling-Station-Id” section of the file. Once you have done so, save the file and import it back to your NPS.
Tip: To import/export the configuration file, go to the NPS console in the server, select on NPS, then go to Action on the top bar and click Import/Export Configuration.

Problem: An employee is assigned to multiple machines.
Solution: Go to ADSI Edit, navigate to the user, right click and click Properties, then enter all of the MAC addresses assigned to the user in the “msNPCallingStationID” and “msNPSavedCallingStationID” fields. Remember to use ‘-‘ in between each two characters.

And voila! Now you have a RADIUS that will authenticate a Domain user and his/her machine! In the next post, I will show you a quick tutorial on how to integrate the RADIUS server to the AP.

References:

• https://social.technet.microsoft.com/Forums/ie/en-US/27be70c5-cef9-4e85-bab4-dfa5364d2520/nps-calling-station-id-field-limit-2?forum=winserverNAP
• https://blogs.technet.microsoft.com/teamdhcp/2008/06/15/nap-enforcement-exemption-for-printers-and-other-network-appliances/
• https://blogs.technet.microsoft.com/networking/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows/

 

Windows 2008 R2 RADIUS Server Configuration (Part 1)

Hi!

For today’s tutorial, I am going to show you how to install and test a Windows 2008 RADIUS server. It is pretty simple and quick.

First of all, RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that supports centralized AAA (Authentication, Authorization and Accounting) management. It utilizes a central database to authenticate remote users. Watch the video below to get more information on how RADIUS works.

So, what will I be doing with this RADIUS server? I have created a RADIUS server to have user authentication on the Ubiquiti Unifi AP. The primary goal of this project is to have all of the official devices (laptops, servers, etc) to be connected to one SSID while the personal mobile devices be connected to another, which will be outside of the office’s local network. Users will connect to the WIFI on their official laptops and will have to authenticate themselves before being connected to the Internet. This is where RADIUS will come to play. When the user enters their username and password, Ubiquiti will send the credentials to the RADIUS server and the server will then check for authentication.

Okay, so this tutorial will be slightly different. Instead of giving you step by step instructions, I will post a YouTube video instead. I find that watching videos and following them are a lot more helpful than reading step by step tutorials. Note that there are three major steps to this tutorial – enabling the service on the Windows Server, configuring the RADIUS service (clients and policies), and testing the RADIUS login.

To test the RADIUS login, I used NTRadPing, which is a free software from Mastersoft-Group. It will allow you to test whether or not the RADIUS server that you have configured is connected. You can download the software here.

LDAP Authentication on Filezilla Server

Hey!

For this post, I will provide a tutorial on how to turn on LDAP authentication on a Filezilla server. If you haven’t heard of Filezilla server before, it is a free and easy to use FTP/FTPS solution.

By default, Filezilla server only supports local user accounts. However, since Filezilla is open-source, there is a version which allows for Active Directory Authentication.

Prior to installing Filezilla server, you want to make sure that all of the necessary ports are open between the Active Directory Domain Controller and the Filezilla server.

Configuring LDAP on server settings:

1. Go to the site, download and run the executable installed on your FTPS server: https://sourceforge.net/projects/fzldap/
2. Open the Filezilla server config console > Edit > Settings
3. In the LDAP tab > check “Enable LDAP support. Beta.” > and fill the LDAP server IP Address, Port (389), and LDAP Domain > check “Enable TLS/SSL”

   

4. In the SSL/TLS Settings tab > check “Enable FTP over SSL/TLS support (FTPS)” > click “Generate new certificate” and fill the necessary fields. Once you have generate a certificate, place the location of the key and certificate on the “Private key file” and “Certificate file” fields. Check “Allow explicit FTP over TLS” and the default port should be 990.

Enabling LDAP on a user:

1. Go back to the server config console > Edit > Users
2. Click “Add” to setup a new user
3. The new username should be identical to the domain login username. For example, if my domain login username is “anindayu.pradetha”, the Filezilla user should be “anindayu.pradetha” as well.
4. Unchecked the “Password:” option, the password field should be empty.
5.  Check LOCAL and LDAP options in “Check password in”
6. Setup the shared folders settings accordingly.
7. Click OK once finish with configuration.

Now, you should be able to login to your FTPS server with the AD username and password!

Reference:

https://www.kiloroot.com/filezilla-server-microsoft-active-directory-ldap-authentication/