VIII. PC Setup

802.1x authentication can be used as an alternative to WPA2/PSK in wireless deployments and would mean that WLAN clients connect with either a username / password (Using Protected EAP as shown in this guide) or certificates instead of a pre-shared key.

If 802.1x is used then the authentication is controlled by a RADIUS server on the network. The AP-900 includes a built-in RADIUS server but in many cases it can simplify the management of users and passwords to use an existing RADIUS server so that it can link into Active Directory. This guide contains an example of how to configure a Windows Server 2012 installation so that it will perform RADIUS authentication on the local network.

The wireless security settings should be configured on the Vigor access points so that their RADIUS client settings point to the local IP address of the Windows Server. The RADIUS authentication can then be used in conjunction with a number of Vigor access points connected to the network.

This guide solely handles the configuration of the server. Please see other related Vigor access point guides for configuration of the wireless network. To give an understanding of what needs to be in place on the server, this guide contains the process for a Windows 2012 Server but we're unable to provide direct technical support on the configuration of a Windows server.

Other RADIUS servers will also be compatible with the Vigor access points (for example different releases of Windows Server) and it is hoped that this guide will help provide an understanding of the overall process that would be involved.

---

Configuring Network Policy Services on Windows Server 2012

Before you begin ensure that the the access points are set up on the Network and there is a Security Group Setup in Active Directory.

Open the Server Manager > Dashboard and select Manage > Add Roles and Features

This will start the Add Roles and Features Wizard:

Click Next on the Before you Begin screen to continue.

---

For the Installation Type, select Role-Based or Feature-based installation and click Next to continue:

---

Select the server to install the feature on and click Next:

---

Select Network Policy and Access Services and click Next:

---

This will pop-up a new box, click Add Features:

---

The above box will close and the wizard will move on to the next step.

You do not need to add any additional features at this point, click Next to continue:

---

Under Role Services, tick Network Policy Server if it not already ticked. Health Registration Authority can be enabled at this stage but is not needed for RADIUS to function. Click Next to continue:

At this stage, click Install to start the installation of the role, this can take some time. Leave the option to automatically restart the server after installation unticked.

---

Once the role has installed, the Network Policy Server will be available from the Server Manager under the Tools menu:

---

In the Network Policy Server configuration window, right click the NPS (Local) icon and select Register server in Active Directory and click OK for the pop-up windows resulting from this:

---

Once that has completed, click the NPS (Local) icon from the menu on the left, select RADIUS server for 802.1X Wireless or Wired Connections from the Standard Configuration drop-down box and click Configure 802.1X to start the RADIUS server configuration wizard:

---

This will go on to the next step of the 802.1X configuration wizard. If this will be used with wireless clients, select Secure Wireless Connections or if this will be used with wired clients (Wired 802.1X), select Secure Wired (Ethernet) Connections. Give the connection type a suitable name (or leave it as the default setting), then click Next:

---

The next step is to add the RADIUS Clients - these would be the Vigor access points or Vigor routers that would use this server for authentication. Click Add... to add the details of a RADIUS client:

Enter the IP address of the Access point / Router, give it a suitable name and set a suitable Shared secret that would be used on this server and the AP / Router to secure the RADIUS connection:

Click OK for that once that is set and add any other access points or routers that would need to use this server for authentication so that they will be allowed to connect:

---

The next step of configuring 802.1X is to select the Authentication Method. For this example, select Microsoft: Protected EAP (PEAP) which uses the domain username and password details for authentication:

---

The wizard will then prompt to select the User Groups that would be allowed to authenticate in this way. Either add the user groups that would be allowed to authenticate or leave this blank to allow all users to authenticate using RADIUS:

Clicking Add... will show the Select Group window, either enter the name of the group manually or click Check Names to search for groups:

---

Once the Groups to allow have been selected, click Next, the Traffic Control options do not need to be set so click Next to continue:

This will go to the final window of the 802.1X setup wizard, click Finish to finish setting up the 802.1X configuration on the server:

---

You should now see the RADIUS clients and the Network Policy in the Network Policy Server Snap-in:

Add any other RADIUS clients that need to be able to authenticate with the server if necessary.

---

RADIUS and 802.1X authentication should now be possible using the Windows Server from the DrayTek routers and access points that have been added as RADIUS clients, once the RADIUS settings are configured on those devices.