How to setup Windows Server 2008 R2 as an 802.1X Authentication Server.
The following guide shows an example Windows Server 2008 R2 configuration for use with the PCoIP Zero Client and PCoIP Remote Workstation Cards. The example sets up a brand new environment including a Active Directory Domain. It is recommended this example be done in the lab and then adapted to your production environment once you complete a security assessment and plan on how to implement it into your existing environment.
How to setup Windows Server 2008 R2 as an 802.1X Authentication Server
- Install Windows Server 2008 R2.
- Install the following roles:
- ADDS (Active Directory Domain Services)
- Remember to setup a new domain.
- ADCS (Active Directory Certificate Services)
- This is used for setting up a Certificate Authority.
- You will also be prompted to install IIS.
- NPS (Network Protection Services)
- ADDS (Active Directory Domain Services)
- Add a new 802.1X user in Roles > ADDS > AD Users & Computers > my.new.domain > Users.
- Enable the HTTPS protocol for web services (refer to http://support.microsoft.com/kb/324069).
- Download the client and root CA certificates from https://localhost/certsrv/.
- Remember to do necessary conversions to PEM file format (refer to How do I get a PEM certificate from Windows for IEEE 802.1x Network Authentication?)
- Add a RADIUS client here: Roles > NP&AC > NPS > RADIUS Clients and Servers > RADIUS Clients:
- Add the switch information (e.g. Cisco 802.1X switch).
- Make sure the IP address and Shared Secret are set.
- Create 802.1X Policies here: Roles > NP&AC > NPS > Polices:
- Add Connection Request Policies
- Add either a Day Time Resctriction policy or NAS Port Type: Ethernet policy.
- Use Microsoft: Smart Card or other certificate as the authentication method and make sure the correct root CA certificate is selected.
- Add Network Policies.
- Add a NAS Port Type: Ethernet policy.
- Use Microsoft: Smart Card or other certificate as the authentication method and make sure the correct root CA certificate is selected.
- Add Connection Request Policies
- Configure the zero client:
- On the zero client Administrative Web Interface (AWI), enable the 802.1X checkbox.
- Upload the root CA and client certificate to the zero client.
- Set the identity string of the zero client to Subject Alternative Name of the client certificate (e.g. "teralab@8021x.testnetwork.com").
- Connect the network together and the zero client should successfully authenticate.
Troubleshooting Tips
- Make sure there are RADIUS packets going back and forth between the 802.1X switch and the authentication server
- This can be done by installing Wireshark on the authentication server and making sure the RADIUS packets are being sent between the switch and server.
- If we only see RADIUS packets from the switch going to the server, we need to make sure the configured IP addresses are correct and the Shared Secret is set to the same value.
- To debug an authentication issue, we can use Wireshark to capture the 802.1X packets between the client and switch. This can be done with the use of a hub (not a switch or router) or with a "port mirroring" feature on the switch.
- When viewing the captured packets, we will be able to tell which step the authentication is failing at and whether it is the zero client or authentication server that has initiated the failure packet.
References
http://www.jadota.com/2010/11/setting-up-wireless-802-1x-with-windows-server-2008-and-nps/
http://www.jadota.com/2010/11/setting-up-wireless-802-1x-with-windows-server-2008-and-nps