Ruckus Wireless Setup with Windows 2008 NPS

The wireless project requires domain users (staffs) using domain joined notebooks, non-domain (workgroup) notebooks and mobile devices to be authenticated to use the wireless. I will not be going into the detailed Ruckus wireless setup and will be concentrating on the NPS setup along with the client’s configuration. The biggest challenge was authenticating the non-domain notebook/laptops. Unix/Linux OS based and mobile devices didn’t have much issue in the authentication process as these clients have the option to ignore the certificate whereas windows based OS (tested on Vista and 7) throws errors like “windows was unable to verify the identity of the server”.
Here is the Ruckus Wireless snapshot detail of the SSID “Staff” which I have used for the project. It’s using 802.1 x EAP authentication method with WPA2 encryption and AES algorithm.
The Active Director Directory Services (AD DS) and Active Directory Certificate Service (AD CS) are on two separate machines running Windows Server 2008. Network Policy Server (NPS) is installed on the same server as AD CS which is also the Root CA.
On the AD CS, we create a computer certificate following the procedure below:
Creating Certificate: Open MMC > File > Add/Remove Snap-in… > Certificates > Add > Computer account > Local computer > Finish > Expand Certificates (Local Computer) > right click Personal > All Tasks > Request New Certificates … > Next > Next > check Computer > Enroll.
This certificate will be used when building the NPS.
Setting up NPS: Open NPS from Administrative Tools. Right click on NPS (Local) and click Register server in Active Directory. Click OK on the two dialog boxes.
Click NPS (Local) and chose RADIUS server for 802.1X Wireless or Wired Connections from the drop down list and click Configure 802.1X
Select Secure Wireless Connections and give a name (“wireless” in my case). Click Next and Add a Radius Client (for my case the radius client is the IP or DNS name of the Ruckus Zone Director). Create a Shared secret manually click next and select Microsoft: Protected EAP (PEAP) and then click on the Configure. The Certificate issued must have the certificate enrolled in the steps above.

Click Next and select a user group from the AD to secure the wireless. I just used domain user group “staff” for my case. Accept the defaults and restart the NPS service.
Important Point: Window based systems will have authentication issue while connecting to the wireless. To resolve this issue, the Certificate Authority (CA) certificate that certifies the Computer certificate used in NPS must be imported to the Trusted Root Certification Authorities of the client Notebook.
The settings automatically captured by the client notebook for the authenticated wireless are shown below:
I leave the distribution of the certificate to the end users (non-domain) as it can be carried out is multiple ways.
That’s the way of process of installing the CA in the Trusted Root Certification Authorities
Note: I’ll not be responsible for any issues coming out of this implementation but I’ll be happy to help out with any questions.

Comments

  1. Bizon Tech Pvt. Ltd.August 3, 2013 at 5:12 PM

    Hi this is pretty awesome !
    Just having some issues with authenticating the Zone Director with the Radius server. After putting in the settings for setting up the AAA server in Zone Director when I test it only gives me invalid password.
    any ideas ?
    Thanks in advance.

    ReplyDelete

Post a Comment

Popular posts from this blog

Wireless DPSK setup with Ruckus Zone Director

Image
Configure the AAA Server (Using local database howto is out of this scope) Log in to the zone director and configure the AAA Server from Configure > AAA Servers as shown in the figure below. Name: Give a name for the AAA Server for identification {jcua for this example} Type: Active Directory Global Catalog: {leave it un-check} IP Address: IP address of the domain controller Port: 389 {ldap port} Windows Domain Name: domain name {test.com for this example}   Configure the Hotspot Service Configure a Hotspot to authenticate the users before allowing the traffic from Configure > Hotspot Services as shown in the figure below. Name: Give a name for the hotspot service {JCU-Wireless-Provisioning for this example} Login Page: https://wireless.test.com/activate {or https://zonedirectorIP/activate} Start Page: I leave to redirect to the URL that the user intends to visit Authentication Server: The AAA server that we created {i.e., jcua} Accounting Server: none {out...
Read more

Access denied for user 'bacula'@'localhost' (using password: YES)

Image
While installing a test backup server (Bacula), I got the error "Access denied for user 'bacula'@'localhost' (using password: YES)" while connecting to the MySQL database. Root access was fine. Grant permission as well as the user password was correct and thus it took me quite some time to understand that though the user password was correct, it wasn't encrypted like the root when checked from Webmin.  Thus from mysql command, instead of - mysql> UPDATE mysql.user SET Password = 'baculauserpassword' WHERE user = 'bacula'; mysql> FLUSH PRIVILEGES; I change it too  mysql> UPDATE mysql.user SET Password = PASSWORD('baculauserpassword') WHERE user = 'bacula'; mysql> FLUSH PRIVILEGES; After getting the password encrypted, I can finally connect to the MySQL server and run the Bacula.
Read more

Operation could not be completed (error 0x00000709)

Image
We just had an upgrade of the printer infrastructure. New printers are installed, Canon Uniflow software are being upgraded as well as the existing drivers are being upgraded. Things went fine except for few users having issues like: Cannot set default printer Cannot print directly from Outlook client Thanks to the link  http://www.howtogeek.com/forum/topic/can-not-set-any-printer-as-default-printer  the issues were resolved following the steps there. The fix, which worked for me yesterday, is simple: Go to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\ -If the Windows key doesn't exist, create a new key; Then check for the following entry (or create it if it is not there) Name: Device Type: Reg_SZ (String Value) Value: winspool,Ne00 Should you be unable to save it, just make sure the user has Full (or special) access to the Windows key (by right-clicking on the key) After that I ran the "gpupdate /force" as the drivers were pushed using gr...
Read more