Hello,
easy to do.
First you must install the role on some Windows Server (I recommend 2008 R2 and later)
This role is Windows Network policy server (NPS). You need just policy server, nothing more.
Second you need to setup communication between MSM controller, APs and NPS. This is common RADIUS.
So on MSM you need:
Go to Authentication - go to RADIUS profiles, click Add New profile and fill the details.
IP address is the IP of your Windows NPS and preshared key is your own secret key for communication between controller and NPS (same must be filled in NPS).
Untick Use Message authenticator. Check authentication method which must be set to MSCHAPv2. For HA setup you need two NPS servers, so you can fill both, but for test you can use just one (primary).
On NPS server:
Go to RADIUS Clients and Servers - Radius clients - New and fill the details.
Here you are working with two common scenarios. First one is authentication box checked on your VSC in MSM. In this case you need add here just controller IP address. But if you would like to be completely independent on controller (so unticked Access controller/Authentication) you must add here all APs. (just note: In linux and freeradius it is possible to add range of IPs, in Windows not).
you need add the name, IP address and preshared key which you fill in MSM setup.
At this time you passed the all the basics. Now it is the time for policies.
You can use RADIUS for Guest access and also for 802.1X. So in first case you will use just MSCHAPv2 protocol, in second case you need to use EAP protocol (TLS for certificates or PEAP for passwords).
If you need to use both methods you must in conditions divide those two access methods.
In Policies - Network policies just add a new one. On first tab you fill the name, next, on second tab you need to set conditions of access. Just click add, choose Windows Groups and choose group of users you would like to give the access. and OK. You can specify here the condition for authentication protocol, add second condition and choose Authentication method and choose appropriate (Windows use EAP as EAP-TLS, PEAP and MSCHAP derivates). Next. Then Leave access granted and next. In EAP types you must add correct method you want to use.
Here you must have certificate in system you will use for encryption (can be used internal or self-signed).
On the last page you are specifying other details like VLANs, access lists etc. But this is very complex.
If you have this policy:
you must check on MSM your VSC. You must go to 802.1X config and choose (check) previously created RADIUS profile.
If you would like to have total independence untick access control/authentication. So all traffic including authentication will go thru AP (not controller).
Try the access. It is written directly from my head so it can be small mistakes.
How to check the result if something fails. Easily - check first system log on your NPS server where are reported problem with NPS itself, mainly problem with client communication. (like bad passwords etc).
And the most important: Security log, where you will see RADIUS packets and result of policies.
Some problems connected to this:
If you need to have dynamic VLANs - my experience is that APs must be provisioned to be on tagged VLAN (with management interface) - best is to manually force the AP to do this. And then create virtual interface for APs VLAN to connect all APs by L2 discovery (discovery on this interface must be allowed). But this is good question to discussion. I only write my experience and working setup.
Michal Dolezal, DiS.
System engineer
AVE BOHEMIA, s.r.o.
