Great tuts...your video is actually for real world example of actual configuration for NPS..more power to you and thanks for sharing this wonderful tutorial...=)
@itassist7373
7 жыл бұрын
0:45 - Install Certificate Authority Role 2:35 - Install Network Policy Services 3:26 - Configure Wireless Access Point 5:35 - Active Directory Environment 6:05 - Configure RADIUS Server 11:48 - Create Group Policy (GPO) 15:55 - Create Firewall Rule 16:53 - Use the Laptop to Connect Automatically 18:48 - Active directory Screenshots 19:30 - Wireless Access Point Screenshot 19:38 - RADIUS Screenshots 23:27 - GPO Screenshots
@itassist7373
6 жыл бұрын
One huge benefit to setting up your wireless this way is preventing hackers. Using common hacking tools like the pineapple and other methods can allow you to get into almost any wireless network in seconds! Look it up for yourself to see a proof of concept. The good news about this enterprise level of security is they cannot hack into it (easily). I've tried hacking into it and the best I could get was the hash. Even if I spend weeks cracking the hash I still won't be able to connect to the wireless because I don't have the certificate so RADIUS never authenticates my connection. I'm not saying it is impossible to hack into, but it would take someone very skilled and a lot of time to do it. Any businesses out there NEED to use this method to thwart hackers or anyone trying to steal your wireless internet traffic.
@holeposts
6 жыл бұрын
Very well done video AND you got all the extra Gotcha's. Way to make an obscure and disjointed process smooth and seamless.
@itassist7373
6 жыл бұрын
Thanks! I spent a lot of time making sure I got everything right. I've deployed this policy for several businesses with minimal issues. I appreciate your feedback.
@l1mL
Жыл бұрын
Really well made, step by step process of how to establish radius auth on wifi
@ryanmcguire2578
6 ай бұрын
Where are your certificates generated? Do you have to create this on your wireless router?
@jingadom
7 жыл бұрын
This is fucking so much better than pushing certificates to clients one by one
@itassist7373
7 жыл бұрын
Hardik Nagar Agreed, saves so much time. We pushed this policy to 100 laptop and surface users in one day!
@0Rkvishwakarma
2 жыл бұрын
If I have a Cisco Access Point Key device, how can I configure the IP settings in the Cisco Access Device Settings? Cisco 3600 Series. Please help me how can I configure this policy.
@TheDJStandy
6 жыл бұрын
So if I specify only computers as members of the WiFi group then non-domain computer will never be able to connect?
@ZachSkagen
5 жыл бұрын
Correct, what I do is only allow the Domain Admin group in the NPS, this allows us to domain join the laptop using an admin credential. In the GPO, still select Machine Authentication only when creating the wireless profile. Another way, is have a hidden SSID that uses a preshared key that only admins know, and deleting that Wireless Profile from windows after it is domain joined.
@ningi1974
4 жыл бұрын
Very good and helpful, brings all topics together, well done
@Sooster81
6 жыл бұрын
Does this configuration allow guests to connect to the WiFi just by entering the wifi password? Also, at have a lab set up with 25 PC's and various laptops around the school that only connect by wifi, is it possible to change the wifi password and have all domain computers connect without me having to change settings on 70 computers?
@itassist7373
6 жыл бұрын
Yes and Yes. This is exactly what this is designed for. If you add the user to the Wi-Fi group they can login with a non domain join laptop or even a phone. They login using a username and password, NOT a Wireless password. If you need to connect various PCs and laptops via wireless, you can do that by joining them to the domain then deploying the wireless policy. If you only want them to connect from an approved laptop, don't allow their username and password to access to the wireless. That way, only the computer they are using is authorized and anyone can sign into the computer and use the wireless. The nice thing about this is you never have to give out a wireless password so nobody can share a password with friends to connect without your knowledge.
@spacemunkee1
5 жыл бұрын
We have a wireless lan controller managing all of the APs. Would you still ad the APs as Radius clients or would you just add the IP address of the WLC since all of the APs are managed by that?
@user-xt1vs2oz3b
5 жыл бұрын
I've dealt with a similar setup using mesh units which are actually cloud controlled. You need to create a DHCP reservation for each of your APs, assuming they are like mesh APs and get an address from your dhcp server. Then, you need to add each AP as a radius client. Even if the Radius password is the same, it needs to have a record of each AP with it's IP address. Hope this helps.
@spacemunkee1
5 жыл бұрын
To answer my own ?, it does appear that you can add the WLC as the radius client rather than the APs. All users that are a member of the domain users OU, can login to any computer with their AD credentials. The WLC shows the Domain and non-domained clients and displays the users logon ID as authenticated
7 жыл бұрын
love the vids
@reymarfil1609
4 жыл бұрын
Hi, do you have same process how to do this on Aerohive Manager console ?? please advise. Thanks,
@muhammadmoiz5083
Жыл бұрын
is this also work for Mac laptops
7 жыл бұрын
dope!
@Dayan2k7
2 жыл бұрын
I thought Radius operated over UDP not TCP?
@lordxplosion4273
Жыл бұрын
When Ever i Connect The WIFI From My Mobile Phone It Shows SERVER TIME OUT Can Anyone Help ?
@ronniejorgensen3671
6 жыл бұрын
Hi there, at 15:13 why is it we are doing those settings in the GPO? if we do not do them what is the fallout?
@itassist7373
6 жыл бұрын
It allows the administrator to configure computers (or users) to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring user interaction. The computer does not need to be aware of any certificate operations. By default there are no auto-enrollment settings configured in a Windows domain. Neither the Default Domain Policy nor the Default Domain Controllers Policy contain auto-enrollment settings so none of your computer or user accounts will automatically enroll for any certificates. For example, if we skip this step, a user could be prompted to connect because the computer hasn't been enrolled to use the certificate . A user can ignore the security warning and connect anyway (usually not a good idea for security) and continue the connection, but by configuring this part of the policy, we ensure no user interaction is necessary and the certificate they are trusting is legitimate.
@PineNutButter
5 жыл бұрын
How I can spacify only one WiFi network to connect to and hide any other WiFi network?
@jingadom
7 жыл бұрын
I have a question though, if I would like to setup a new laptop, can I do so by simply entering the username and password? I guess it should bar it from connectting since no certificate has been signed form that client.
@itassist7373
7 жыл бұрын
Hardik Nagar yes you can just enter a username and password to connect. This is the reason we add the user to the Wi-Fi group.
@itassist7373
7 жыл бұрын
If you want to prohibit this, just don't add the user to the WiFi group and they cannot connect. Once the gpo is in place, the certificate does the authentication and the network policy allows it.
@nneverland
4 жыл бұрын
What if I want Domain Users not to connect automatically to WiFi ? Shall i create a WiFi policy anyways ?
@itassist7373
4 жыл бұрын
The policy is based on what OU you link it to. Only link the GPO to the OU that you want the policy to apply. For example, you can create an OU named Laptops1 and Laptops2 and only link the GPO to Laptops1. Therefore Laptops1 would get the policy and Laptops2 would not.
@ronniejorgensen3671
6 жыл бұрын
Also where is it in the RADIUS that we select the certificate? In my situation my domain controller is not my CA so i need to request a certificate from our CA
@itassist7373
6 жыл бұрын
In my lab and production environments, I setup the CA and the RADIUS on the same server. Otherwise, users will attempt to use the certificate from the RADIUS server and NOT the CA. Each and every connection will be prompted to use an untrusted certificate and it can be very annoying and insecure to have them click connect anyway. I'm not sure it is possible to create a certificate for your RADIUS server that the computers will trust natively (since your RADIUS is not a CA). Even if you have a legitimate certificate created from a template in your CA using web enrollment, I still don't think your domain computers will like it, unless you can use your GPO to enroll the clients and trust the RADIUS server. If you do that, you might get it to work properly. This is something I'd have to test more. thanks for the comment!
@sulpher4648
5 жыл бұрын
In the Network Policy > Constraints, Authentication Methods, edit (PEAP). At the top it will let you select the certificate that the server will present to the clients. The Authentication should already be accepted as the NPS Certificate (Computer) will already have been signed via your CA which the clients already trust, In that case the clients will treat the certificate as Valid. In your Group Policy portion: Once you are in the Wireless Properties, navigate over onto Security > PEAP > Properties {Connect to these servers: nps.contoso.local (change for your domain)} > Then select your trusted root authority in which it should use for "Looking" at the cert, which in most cases if running a CA will be your CA. {Contos-ADCS-CA}. The certificate services will be a chain of authentication. Hope this helps
@Swordbreakercl
5 жыл бұрын
Thanks it worked, but I used Microsoft Intelligent card instead of PEAP
@keithgrantsci
5 жыл бұрын
Absolutely Excellent Vid. Nicely done.
@sbasalan
3 жыл бұрын
so if someone who visit a place that you need to handle this authentication needs to type a valid user id and password to access internet. One more thing that how about giving a specific IP address that in a range of IP addresses that only can get access to the internet.
Пікірлер: 42