AP Configuration with RADIUS

Install the TekRADIUS version that connects to MS SQL. Run the manager and configure SQL connection under Settings. Create the database and then create the tables. You should adjust the Service Parameter - Startup to Automatic, and PEAP Inner Auth. Method is EAP-MS-CHAP-v2.

Create Self Signed Server Certificate.

Run TekCERT. Click "Generate Certificate" button to create the certificate after filling necessary fields. You need to enter at least a valid "Name" for the certificate. The Purpose: is "Server Authentication".

Click "Browse Certificates" tab, select the generated certificate and click "Export" button. Export the public key in *.cer format after creating the certificate for client deployment.

 

Install Server Certificate.

On your Radius server, right click the *.pfx file and select Install PFX. Go thru the wizard, Next; then select the *.pfx file; Next and type the password for the private key. Check that the "Mark this key as exportable" if you want to be able to export it later. Next; Check the "Place all cert. in the following store" and browse to "Trusted Root Certification Authorities\Local Computer". You will need to check the "Show physical stores" for this to be visable. Next, and Finish to complete manual deployment of server root certificate.

Certificate Import Wizard dialogSelect Certificate Store dialog

 

Create Users in TekRADIUS

In order to add a user, in TekRADIUS, enter username to the "User:" text box (Bottom left), select user group and click [Add]. User-Password attribute is stored encrypted in "Users" and "Groups" tables.
You can define a "default" user profile to be used when a matching user profile cannot be found for
an incoming RADIUS authentication request. Add attributes "User-Password", type "Check", enter a password and click [Add/Update]. Also enter the attribute "TLS-Server-Certificate, type "Check". Your cert will be in the drop down, click [Add/Update].

Install your Certificate on ClientsSelect Certificate Store (XP)

Copy the public key *.cer certificate file to the client computer. Locate the certificate file on the client computer; right click on it, than select "Install Certificate". Click "Next" on "Certificate Import Wizard" dialog. Select "Place all certificates in the following store" than click "Browse". Click "Show physical stores" and then select "Trusted Root Certification Authorities/Local Computer" (on Windows XP clients), click OK to close "Select Certificate Store" dialog. (Windows 7 clients can use this guide)

Click "Next" after selecting certificate place on "Certificate Import Wizard" dialog and then click "Finish" to complete manual deployment of server root certificate.

 

Clients PEAP Configuration

Although there are commercially and freely available PEAP supported 802.1X supplicant alternatives for Windows, Windows editions have a built-in supplicant. In order to configure PEAP (PEAPv0-EAP-MS-CHAP v2) Authentication for a Wireless Network Connection, open Network Connections (Start/Settings/Network Connections), right click on particular wireless connection and select properties.

Wireless Networks Connection/WirelessAssociation parameters.

You will see detected wireless networks in "Preferred networks" window on "Wireless Networks" tab. Select the wireless network which requires PEAP authentication and then click properties.
Configure "Association" parameters as shown. Jump to "Authentication" tab select "Protected EAP (PEAP)" as "EAP Type" then click "Properties".

EAP type selectionSelect Certificate Store dialog

Click "Validate server certificate", and select installed server root certificate installed previously in the "Trusted Root Certification Authorities" list optionally.

If you plan to authenticate user with a username/password pair other than the user uses to logon to Windows, click "Configure" button on "Protected EAP Properties" dialog and uncheck "Automatically use my Windows logon name and password" on "EAP MSCHAPv2 Properties" dialog and click OK.

Select Certificate Store dialog

 

Configure Your Access Points

Login to your AP and setup a RADIUS profile, under Authentication\RADIUS profiles. Enter a profile name, server address, Secret, and Authentication method is MSCHAPv2.

Create a VLAN, under Network\Ports, Add New VLAN. Select the port (Port1), enter a VLAN ID, and give it a name.

Setup a VLan for your secure network. In your AP management under the VSC profile, Add New VSC Profile. Give it a name, check the "Wireless protection" and select "WPA" from the drop down. Select the mode "WPA or WPA2" and Key source is RADIUS then select the radius profile you just created. Check RADIUS accounting if you want reporting. Check the Virtual AP and specify a name to uniquely identify the wireless network (SSID name). Check Broadcast name (SSID). Under Quality of service, make priority mechanism: DiffServ. Then under Egress VLAN, select the VLAN ID you just created. You'll want to uncheck the "Wireless security filters" or you could use the MAC address to forward all traffic to an upstream device.