NPS Setup for a Secure Wireless network

By | November 25, 2014

NPS Setup for a Secure Wireless network

The first task in setting up Windows 2008 or higher Enterprise CA.  This is to allow auto Certificate request. You need to be running Windows 2008 Enterprise edition or Windows 2012.

Make sure your domain functional level is at least at Windows Server 2003.

Create a security group for NAP client computers

Next, create a security group for use with Group Policy security filtering. This security group will be used to apply NAP client computer settings to only the computers you specify.

To create a security group for NAP client computers

  1. In the Active Directory Users and Computers console tree, right-click contoso.com, point to New, and then click Group.
  2. In the New Object – Group dialog box, under Group name, type NAP client computers.
  3. Under Group scope, choose Global, under Group type, choose Security, and then click OK.
  4. Close the Active Directory Users and Computers console.

Install the NPS server role

To install the NPS server role

  1. Click Start, and then click Server Manager.
  2. Under Roles Summary, click Add Roles, and then click Next.
  3. Select the Network Policy and Access Services check box, and then click Next twice.
  4. Select the Network Policy Server check box, click Next, and then click Install.
  5. Verify the installation was successful, and then click Close to close the Add Roles Wizard dialog box.
  6. Leave Server Manager open for the following procedure.

Install the Group Policy Management feature

Group Policy will be used to configure NAP client settings in the test lab. To access these settings, the Group Policy Management feature must be installed on a computer running Windows Server 2008 or above.

To install the NPS server role

  1. In Server Manager, under Features Summary, click Add Features.
  2. Select the Group Policy Management check box, click Next, and then click Install.
  3. Verify the installation was successful, and then click Close to close the Add Features Wizard dialog box.
  4. Close Server Manager.

Obtain a computer certificate on NPS server

To provide server-side PEAP authentication, the server running NPS uses a computer certificate that is stored in its local computer certificate store. Certificate Manager will be used to obtain a computer certificate from the certification authority service.

To obtain a computer certificate on the NPS server

  1. Click Start, click Run, in Open, type mmc, and then press ENTER.
  2. On the File menu, click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, click Certificates, click Add, select Computer account, click Next, and then click Finish.
  4. Click OK to close the Add or Remove Snap-ins dialog box.
  5. In the left pane, double-click Certificates, right-click Personal, point to All Tasks, and then click Request New Certificate.
  6. The Certificate Enrollment dialog box opens. Click Next.
  7. Select the Computer check box, and then click Enroll. See the following example.
  8. Verify that Succeeded is displayed to indicate the status of certificate installation, and then click Finish.
  9. Close the Console1 window.
  10. Click No when prompted to save console settings.

Configure NPS as a NAP health policy server

To serve as a NAP health policy server, NPS1 must validate the system health of clients against the configured network health requirements. For this test lab, configuration of NPS as a NAP health policy server is performed using the NAP configuration wizard. The NAP wizard helps you configure each NAP component to work with the NAP enforcement method you choose. These components are displayed in the NPS console tree, and include:

  • System Health Validators. System health validators (SHVs) define configuration requirements for computers that attempt to connect to your network. For the test lab, WSHV will be configured to require only that Windows Firewall is enabled.
  • Health Policies. Health policies define which SHVs are evaluated, and how they are used in the validation of the configuration of computers that attempt to connect to your network. Based on the results of SHV checks, health policies classify client health status. The two health policies in this test lab correspond to a compliant health state and a noncompliant health state.
  • Network Policies. Network policies use conditions, settings, and constraints to determine who can connect to the network. There must be a network policy that will be applied to computers that are compliant with the health requirements, and a network policy that will be applied to computers that are noncompliant. For this test lab, compliant client computers will be allowed unrestricted network access. Clients determined to be noncompliant with health requirements will have their access restricted through the use of RADIUS attributes to specify a restricted VLAN ID. Noncompliant clients will also be optionally updated to a compliant state and subsequently granted unrestricted network access.
  • Connection Request Policies. Connection request policies are conditions and settings that validate requests for network access and govern where this validation is performed. In this test lab, a connection request policy is used that requires the client computer to perform protected EAP (PEAP) authentication before being granted access to the network.
  • RADIUS Clients and Servers. RADIUS clients are network access servers. If you specify a RADIUS client, then a corresponding RADIUS server entry is required on the RADIUS client device. In this test lab, the 802.1X compliant switch is configured as a RADIUS client on NPS. You must also configure the switch to recognize NPS as a RADIUS server.
  • Remediation Server Groups. Remediation server groups allow you to specify servers that are made available to noncompliant NAP clients so that they can remediate their health state and become compliant with health requirements. For this lab, you do not have to configure remediation server groups in the NPS console. If these servers are required, they must be made available on the restricted access VLAN so they are accessible to noncompliant computers. Because Windows Firewall is the only health requirement in the test lab, no remediation servers are required.

Configure NAP with a wizard

The NAP configuration wizard helps you set up NPS as a NAP health policy server. The wizard provides commonly used settings for each NAP enforcement method, and automatically creates customized NAP policies for use with your network design. You can access the NAP configuration wizard from the NPS console.

To configure NPS using the NAP wizard

  1. Click Start, click Run, type nps.msc, and then press ENTER.
  2. In the Network Policy Server console tree, click NPS (Local).
  3. In the details pane, under Standard Configuration, click Configure NAP. The NAP configuration wizard will start. See the following example.
  4. On the Select Network Connection Method for Use with NAP page, under Network connection method, select IEEE 802.1X (Wireless), and then click Next.
  5. On the Specify 802.1X Authenticating Switches or Access Points page, click Add.
  6. In the New RADIUS Client dialog box, under Friendly name. Enter IP or DNS address under address.
  7. Under Shared secret, type secret.
  8. Under Confirm shared secret, type secret, click OK, and then click Next.
  9. On the Configure User Groups and Machine Groups page, click Next. You do not need to configure groups for this test lab.
  10. On the Configure an Authentication Method page, confirm that a computer certificate obtained in the previous procedure is displayed under NPS Server Certificate, and that Secure Password (PEAP-MSCHAP v2) is selected under EAP types. Click Next.
  11. On the Define NAP Health Policy page, verify that Windows Security Health Validator and Enable auto-remediation of client computers check boxes are selected, and then click Next.
  12. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, click Finish.
  13. Leave the NPS console open for the following procedure.

Verify NAP policies

In order for the health status of NAP client computers to be correctly evaluated by NPS, NAP policies that were created in the previous procedure must be enabled and configured with the correct processing order. By default, the NAP configuration wizard will create policies that are lower in processing order than any existing policies but higher in processing order than the default policies. However, if policies are created and removed, it is possible to change processing order of the default connection request policy and network policies. Therefore, you should verify that the NAP policies created in the previous procedure are configured with the correct processing order.

To verify NAP policies

  1. In the Network Policy Server console tree, double-click Policies, and then click Connection Request Policies.
  2. Verify that the NAP connection request policy you created in the previous procedure is first in the processing order, or that other policies that match NAP client authentication attempts are disabled. Also verify that the status of this policy is Enabled. The default name of this policy is NAP 802.1X (Wired).
  3. Click Network Policies, and verify that the network policies you created in the previous procedure are higher in the processing order than other policies that match NAP client authorization attempts, or that these other policies are disabled. Also verify that the status of these policies is Enabled. The default name of the three network policies created by the NAP configuration wizard are NAP 802.1X (Wired) Compliant, NAP 802.1X (Wired) Noncompliant, and NAP 802.1X (Wired) Non NAP-Capable.
  4. Click Health Policies, and verify that two policies were created. By default, these policies are named NAP 802.1X (Wired) Compliant and NAP 802.1X (Wired) Noncompliant.
  5. Leave the NPS console open for the following procedure.

Configure SHVs

The WSHV will be configured to require only that Windows Firewall is enabled.

To configure system health validators

  1. In the Network Policy Server console tree, double-click Network Access Protection, and then click System Health Validators.
  2. In the details pane, under Name, double-click Windows Security Health Validator.
  3. In the Windows Security Health Validator Properties dialog box, click Configure.
  4. Clear all check boxes except A firewall is enabled for all network connections. See the following example.
  5. Click OK to close the Windows Security Health Validator dialog box, and then click OK to close the Windows Security Health Validator Properties dialog box.
  6. Close the Network Policy Server console.

Configure NAP client settings in Group Policy

The following NAP client settings will be configured in a new Group Policy object (GPO) using the Group Policy Management feature on NPS server:

  • NAP enforcement clients
  • NAP Agent service
  • Wired Autoconfig service
  • Security Center user interface

After these settings are configured in the GPO, security filters will be added to enforce the settings on computers you specify. The following section describes these steps in detail.

To configure NAP client settings in Group Policy

  1. On PCSDC3, click Start, click Run, type gpme.msc, and then press ENTER.
  2. In the Browse for a Group Policy Object dialog box, next to Contoso.com, click the icon to create a new GPO, type NAP client settings for the name of the new GPO, and then click OK.
  3. The Group Policy Management Editor window will open. Navigate to Computer Configuration/Policies/Windows Settings/Security Settings/System Services.
  4. In the details pane, double-click Network Access Protection Agent.
  5. In the Network Access Protection Agent Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.
  6. In the details pane, double-click Wired AutoConfig.
  7. In the Wired AutoConfig Properties dialog box, select the Define this policy setting check box, choose Automatic, and then click OK.
  8. In the console tree, open Network Access ProtectionNAP Client ConfigurationEnforcement Clients.
  9. In the details pane, right-click EAP Quarantine Enforcement Client, and then click Enable.
  10. In the console tree, right-click NAP Client Configuration, and then click Apply.
  11. In the console tree, navigate to Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsSecurity Center.
  12. In the details pane, double-click Turn on Security Center (Domain PCs only), choose Enabled, and then click OK.
  13. Close the Group Policy Management Editor window.
  14. If you are prompted to apply settings, click Yes.

Configure security filters for the NAP client settings GPO

Next, configure security filters for the NAP client settings GPO. This prevents NAP client settings from being applied to server computers in the domain.

To configure security filters for the NAP client settings GPO

  1. On NPS1, click Start, click Run, type gpmc.msc, and press ENTER.
  2. In the Group Policy Management Console (GPMC) tree, navigate to Forest: PCSDomainsPCSGroup Policy ObjectsRadius Test.
  3. In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.
  4. When you are prompted to confirm the removal of delegation privilege, click OK.
  5. In the details pane, under Security Filtering, click Add.
  6. In the Select User, Computer, or Group dialog box, under Enter the object name to select (examples), type NAP client computers, and then click OK.
  7. Close the GPMC.

Make sure you add the NAP Security Group to all the Client Computers that are needed.

Thanks for reading.

One thought on “NPS Setup for a Secure Wireless network

  1. Pingback: Recap #vDM30in30 – The Really, Really Long List, Enjoy! @ Virtual Design Master

Leave a Reply