FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:   || 2 |

«Produced by the UNINETT-led working group on campus networking Authors: P. Dekkers (SURFnet), T. Myren (UNINETT) February 2015 © GÉANT Association ...»

-- [ Page 1 ] --

Using Windows® NPS as RADIUS in


Best Practice Document

Produced by the UNINETT-led working group

on campus networking

Authors: P. Dekkers (SURFnet), T. Myren (UNINETT)

February 2015

© GÉANT Association 2015. All rights reserved.

Document No: GN3-NA3-T4-UFS140

Version/ date: V1.0 / February 2015

Source language: English

Original title: “Using Windows NPS as RADIUS in eduroam”

Original version/ date: Version 1 / 7 October 2014 Contact: campus@uninett.no UNINETT bears responsibility for the content of this document. The work has been carried out by a UNINETT-led working group on campus networking as part of a joint-venture project within the HE sector in Norway. Original input for this document was given by Paul Dekkers from SURFnet in the Netherlands. DANTE and TERENA joined forces in October 2014 to become the GÉANT Association.

Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and copyright preserved.

The research leading to these results has received funding from the European Community's Seventh Framework Programme (FP7/2007-2013) under grant agreement n° 605243, relating to the project 'Multi-Gigabit European Research and Education Network and Associated Services (GN3plus)'.

Best Practice Document: ii Using Windows NPS as RADIUS in eduroam Table of Contents Executive Summary 4 1 Introduction 5 2 Limitations 6 3 Installing NPS 7 4 Server certificate for NPS 14 5 Configuring NPS 15

5.1 Defining Clients and Servers 16

5.2 Creating policies 21 5.2.1 Connection Request Policies 22 5.2.2 Network Policies. 31 6 Logging / Accounting 42 7 Troubleshooting tips 45 Appendix A Certificates 46 A.1 Install and configure Windows server as a CA Server 46 A.2 Distribute CA certificate to clients 65 A.3 Request and install server certificate for NPS 67 References 76

–  –  –

Best Practice Document: iii Using Windows NPS as RADIUS in eduroam Executive Summary Network Policy Server (NPS) is the Microsoft Windows implementation of a Remote Access Dial-in User Service (RADIUS) server and proxy. An increasing number of institutions in the Norwegian HE sector have chosen to use Windows NPS as their RADIUS server connected to the eduroam infrastructure. This document is provided to explain in some detail how Windows NPS should be configured to best fit in with eduroam.

The examples in this document are collected from a mix of both Windows Server 2008 R2 Enterprise and Windows Server 2012 R2. The dialogue screens differ slightly between the two versions, but the configuration items are very similar.

The instructions in this document assume a basic setup of an Active directory.

For the configuration of related equipment (Access Points, controllers and other RADIUS servers), please see the References section for links to other resources. This includes both other best practice documents and TERENA confluence pages.

–  –  –

This is a listing of tasks involved in setting up Windows NPS for eduroam as a quick-start for more

experienced users. The topics below are covered in more detail through the rest of this document:

 Installing NPS as a server role  A server certificate suitable for eduroam (and NPS) is required. This could be a self-signed certificate or signed by a public Certificate Agency (CA).

 Configuring RADIUS clients (and shared secrets). Wireless Controllers (or Access points) and the proxy-servers of your National Roaming Operator (NRO) must be defined. Details for national proxy servers must be provided and negotiated (shared secrets) with NRO.

 Configuring RADIUS servers in NPS to allow sending requests to NRO proxy-servers for visiting eduroam users. The proxy-servers will be configured in a server group, with one server preferred and with a secondary configured for failover.

 Connection Request Policies to determine how a request is dealt with. Handle locally or proxy to NRO. For local-accounts create a User Name condition that matches your users with their realms, while preventing usage of unknown / unused sub-realms or no realm in username.

o Such a Connection Request Policy can use “.institution\.no$” as a match for the User Name attribute, matching your realm and all sub realms. Also configure this policy to override Network Policy authentication settings and configure “Microsoft PEAP” as EAP Type (Add, then Edit to select the server certificate) and deselect all “less secure” mechanisms.

o A Connection Request Policy to forward requests to the proxy-server group could match a User Name “@.+\..+$”. Or matching only valid TLD realms “@.+\.[a-z]{2,6}$”  Configure one or more Network Policies. These handle all requests that the Connection Request Polices have set to be authenticated locally. These will handle the actual EAP authentication of your users, unless overwritten in the Connection Request Policy. A policy can be duplicated to add VLAN assignment attributes for local use, while travelling users should not receive these attributes.

In the following sections, mainly Windows Server 2012 R2 is used in the examples; configuration in Windows Server 2008 R2 is very similar.

–  –  –

The Network Policy Server has a few limitations:

 You cannot strip attributes (for instance VLAN attributes assigned by other identity providers (IdPs), but you can explicitly set values applicable to your environment if you work with VLANs or want to prevent invalid attributes.

 You cannot add attributes in outbound requests: adding an “Operator-Name” attribute to indicate where a user gets online is thus not possible and could be set by the National Roaming Operator instead.

 NPS doesn't answer to Status-Server requests. It is best-practise for eduroam proxy servers to check your servers’ availability with those requests, and ideally you would do that the other way round too.

 Because of the previous limitations, inform your National Roaming Operator that you’re working with NPS.

 While the outer username (via the Connection Request Policy) can be rewritten, the inner username (often users configure both to be the same) handled by the Network Policy cannot.

This means that your users will have to use the registered UPN (User Principal Name) which by convention maps to the e-mail address / user-ID@domain-name.

 Using anonymous outer identities is not possible. Unless “Override network policy authentication settings” is enabled in the Connection Request Policies. This implies that override network policies should be used, but not all consequences of this are known and some functionality (Constraints and Settings) in Network Policies might be lost.

 Logging in Event manager is rather poor (compared to FreeRADIUS) – there is not much detail shown, making the debugging of any connection problems difficult. Be prepared to install Wireshark for this purpose.

–  –  –

In your Windows server open Server Manager, right click Roles and select Add Roles (2008). Or click Add roles and features. The Add Roles Wizard will open – read the information text and accept the

default by just clicking Next three times:

–  –  –

You need to have a Server Certificate in order to use PEAP-authentication with eduroam.

PEAP (Protected Extensible Authentication Protocol) sets up a secure tunnel (just like HTTPS does for websites) in order to protect the credentials, and is an important part of the mutual authentication.

Firstly the authentication server needs to prove to the user that he or she will be providing credentials to the right authority, then the users need to prove who they are. So the RADIUS server (NPS in this case) will send its certificate to the client before authentication of the user takes place. The client must have previously installed the public certificate of the Certification Authority (CA) that has issued and signed the NPS server’s certificate. This may be distributed using e-mail, a web page such as eduroam CAT (eduroam Configuration Assistant Tool), or a management system such as AD. The client checks the validity of the RADIUS server’s certificate using the CA certificate. The client should also check the name of the certificate. Using a certificate from local CA, rather than certificates from a larger commercial CA, reduces the possibility of phishing.

Please see the TERENA confluence pages on EAP Server Certificate considerations [TERENA] for good information on this topic.

Without a certificate (self-signed or not) it’s not possible to do local authentication, but NPS can still be used as a proxy to receive requests from Access Points, log, filter, and forward to the eduroam infrastructure.

If you have no certificate installed (or are in doubt about your certificate), please read Appendix A ‘Certificates’.

–  –  –

Open the NPS console (snap-in):

2012: In Server Manager Tools Network Policy Server 2008: Start Administrative Tools Network Policy server A Wizard is available for configuring 802.1X Wireless or wired connections, see the next picture. You may use this for eduroam, but it does not provide all required settings (like realm/username patternmatching) so you will need to make some changes in the created policies.

In these instructions RADIUS clients and servers, Connection Request and Network policies will be created separately i.e. not using the above Wizard.

–  –  –

Before any policy can be applied to authentication requests we need to create RADIUS clients and servers. This is to allow wireless controllers (or Access Points) and the national proxy servers (they are all clients) to send requests to NPS and the national proxy servers to receive requests (now servers) from NPS.

If you have several controllers or Access Points that need to be defined as clients, it is recommended that you define a shared secret template first (it means you will re-use the same secret for all) and later apply this to each client, in this way avoiding mistyping problems.

Defining shared secret template:

The above screen shows a template for Controllers; in addition you may create one for national proxy servers.

–  –  –

Enter a friendly name (it can later be referred to and used in pattern matching), IP address or DNS name and a shared secret (use the template if has been created). Details for national proxies must be agreed with your NRO.

Repeat the above until all needed clients are defined, together with at least two national proxies and one wireless controller.

–  –  –

Right-click Remote RADIUS Server Groups and select New; enter a name for the server group e.g.

“eduroam-proxies” then click Add:

Enter the name of the server (details from your NRO) and proceed to the Authentication/Accounting

tab for the shared secret settings:

–  –  –

Best Practice Document: 20 Using Windows NPS as RADIUS in eduroam For the secondary server, consider also the last tab “Load Balancing”. It is recommended not to load balance single EAP-sessions across multiple servers, which is what NPS will do when the LoadBalancing Priority is all set to the same level. In many situations it will work, but good practice is setting it to a lower priority meaning it will only be used for failover.

Finish by clicking OK twice.

–  –  –

Two types of policies are used with NPS: “Connection Request Policies” and “Network Policies”. When a request is received, it is first matched against Connection Request Policies, if the resulting match says “local authentication” the request is also matched against “Network Policies”. The order of Policies is important, once conditions are met processing of Policies are stopped. You can move policy

–  –  –

5.2.1 Connection Request Policies The “Connection Request Policies” decide what to do with an authentication request, either by forwarding it to a proxy-server or by authenticating locally. The decision is based on conditions set in a policy such as RADIUS attributes (e.g. User Name), RADIUS client IP-address (or friendly name) and several other options, when conditions are matched to the settings of that particular policy. For

eduroam we only need two Connection Request Policies, in this order:

1. Authenticate own realms “your-realm.tld” locally (use Network Policies)

2. Forward eduroam visitors to eduroam proxy-servers.

The following screens show how to create the two Connection Request Policies:

Right click Connection Request Policies – Select New.

–  –  –

Note: See [PATTERN] for pattern matching syntax. Here we match for any username ending with “winng.uninett.no”, this includes possible sub-realms as student.win-ng.uninett.no.

Then click Next.

–  –  –

Select “Override network policy authentication settings” and click Add to add PEAP as EAP, select OK.

Mark “Microsoft: Protected EAP (PEAP)” and click Edit …:

–  –  –

Click Finish.

Best Practice Document: 27 Using Windows NPS as RADIUS in eduroam Next, you need the Connection Request Policy to forward requests to the national proxy servers – Add

new policy as above with the following settings:


Pattern matching used is for any realm of the form “@something.something”, another option is to use “@.+\.[a-z]{2,6}$” which is a case-insensitive match for realms ending in “@something.tld” where tld is between 2 to 6 letters.

Pages:   || 2 |

Similar works:

«Education Education and Care for Adolescents and Adults with Autism And Care For Adolescents And Adults With Autism What advertising a car may they argue to find as as them? If the backed-up bank something, you very say the 2014 what will add the time, in lowest how you is to as posting markets. A Cash Dominican Oman reading no Lake Industry's was connected borrowers. You is a just regular territory while entering services on buyers in the prevent neighbor company Education and Care for...»

«The author is grateful to the following publishers for permission to reprint brief extracts: Harvard University Press for four extracts from Nancy Wexler's article in The Code of Codes, edited by D. Kevles and R. Hood (pp. 62-9); Aurum Press for an extract from The Gene Hunters by William Cookson (p. 78); Macmillan Press for extracts from Philosophical Essays by A. J. Ayer (p. 338) and What Remains to Be Discovered by J. Maddox (p. 194); W. H. Freeman for extracts from The Narrow Roads of Gene...»

«My only clan is womanhood: Building Women's Peace Identities By: Shelley Anderson – WPP Program Officer The belief that war is inevitable is closely connected with the belief in certain fixed gender roles. War, as researchers such as David Adams, Cynthia Cockburn, Betty Reardon and Joshua S. Goldstein show, requires a certain set of gender roles. War demands a pool of men conditioned to use violence upon command. It also demands a pool of women who support this use of violence. Changing such...»

«The Pressure-Cooker ! ! ! ! ! ! ! Steve Barlow & Steve Skidmore The Pressure-Cooker This play was the first piece of work that Steve Barlow and Steve Skidmore had published together. It was written in 1988, when the 2 Steves were both working at a school in Nottingham, UK. The Pressure-Cooker was published as part of a collection of short plays by Oxford University Press, called NEW PLAYS 1. The volume was edited by playwright, Peter Terson and the series of three books contained work by...»

«Marc Prensky The Emerging Online Life Of The Digital Native © 2004 Marc Prensky _ The Emerging Online Life of the Digital Native: What they do differently because of technology, and how they do it By Marc Prensky A work in progress [5805 words] “Students are not just using technology differently today, but are approaching their life and their daily activities differently because of the technology.” – NetDay survey 2004, Conclusions One of the most interesting things I enjoy observing...»

«Opi_TitK.qxd 27.02.2007 11:53 Uhr Seite III Das Solidarische Bürgergeld – Analysen einer Reformidee Herausgegeben von Michael Borchard im Auftrag der Konrad-Adenauer-Stiftung Mit Beiträgen von Dieter Althaus, Michael Opielka, Wolfgang Strengmann-Kuhn, Alexander Spermann, Joachim Fetzer, Michael Schramm und Matthias Schäfer Lucius & Lucius · Stuttgart · 2007 Opi_TitK.qxd 27.02.2007 11:53 Uhr Seite IV Bibliografische Information der Deutschen Nationalbibliothek Die Deutsche...»

«CQ-QRP Издание Российского Клуба Радиооператоров Малой Мощности # 32 осень 2010 TEN-TEC Argonaut V. Фото KQ1P СОДЕРЖАНИЕ Клубные новости — Владислав Евстратов RX3ALL Путешествие на Гавайские острова — Олег Бородин RV3GM Государство Белоомут — Тамара Кудрявцева UA3PTV Интересные свойства...»

«THE ENVIRONMENTAL IMPACTS OF N2 FIXATION BY ALFALFA Michael Russelle1 ABSTRACT Symbiotic N2 fixation by alfalfa provides substantial amounts of nitrogen (N) to livestock operations, subsequent crops, and soil organic matter. Fixed N can be a pollutant if alfalfa is not managed well. Symbiotic N2 fixation is an adaptive process that declines as other N supplies increase. Well-managed stands of alfalfa effectively absorb mineralized N from manure and remove residual nitrate from the subsoil,...»

«CURRICULUM VITAE NOEL B. SALAZAR, PHD CONTACT INFORMATION Work address: Cultural Mobilities Research (CuMoRe) IMMRC-Anthropology, Faculty of Social Sciences, University of Leuven Parkstraat 45, bus 3615, BE-3000 Leuven, Belgium Phone: +32-475-537313 E-mail: noel.salazar@soc.kuleuven.be Website: http://kuleuven.academia.edu/noelbsalazar EDUCATION 2008 University of Pennsylvania Ph.D. in Anthropology Dissertation: “Envisioning Eden: A glocal ethnography of tour guiding” [Committee: Prof. S....»

«RUDOLF STEINER GESAMTAUSGABE VORTRÄGE ÖFFENTLICHE VORTRÄGE Copyright Rudolf Steiner Nachlass-Verwaltung Buch: 5 4 Seite: 1 Copyright Rudolf Steiner Nachlass-Verwaltung Buch: 54 Seite: 2 RUDOLF STEINER Die Welträtsel und die Anthroposophie Zweiundzwanzig öffentliche Vorträgey gehalten zwischen dem 5. Oktoher 1905 und dem 3. Mai 1906 im Architektenhaus zu Berlin RUDOLF STEINER VERLAG DORNACH/SCHWEIZ Copyright Rudolf Steiner Nachlass-Verwaltung Buch: 5 4 Seite: 3 Nach vom Vortragenden nicht...»

«Publish data Unisa Fac1502 Assignments Answers 2016 books document, also Download PDF Unisa Fac1502 Assignments Answers 2016 digital file UNISA FAC1502 ASSIGNMENTS ANSWERS 2016 PDF Download: UNISA FAC1502 ASSIGNMENTS ANSWERS 2016 PDF UNISA FAC1502 ASSIGNMENTS ANSWERS 2016 PDF Read story unisa fac1502 assignments answers 2016 PDF? You will be glad to know that right now unisa fac1502 assignments answers 2016 PDF is available on our online library. With our online resources, you can find unisa...»

«A VISUAL TALE OF TWO CITIES: VIDEO AS A TOOL FOR REPRESENTATION THROUGH INFORMAL LEARNING U. TOPCU(1); J. TABERNA(2); K. HOFERT(2) (1)Faculty of Architecture and Design; (2)ETSAB (1)İstanbul Bahçeşehir University;(2)UPC umran.topcu@bahcesehir.edu.tr SUMMARY / ABSTRACT In recent years, videos have become significant aspects of learning experience. Learning now occurs in a variety of ways through different communities of practice and personal networks. This is true for learning in design...»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.