Network Segmentation

Installing the Enterprise Subordinate CA - Part 2


To complete this installation we will be performing below steps


Prepare the CAPolicy.inf for the Enterprise Subordinate CA

Install the Enterprise Subordinate CA

Configure the Enterprise Subordinate CA Authority Information Access and Certificate Distribution Point settings

IssuingCA - Hyper-V



NPS Role and Configuration - Part 4

Is where you tell the system to put the client in your choice of VLAN. This must be done for LAN & W-LAN Separately.


Configure your AGDLP Domain Local Security Groups and place the child – Security Groups in their respective NPS_VLAN_020X_CLIENT Group. Do not use separate WLAN & LAN Domain Local Security groups, because you’ll probably get conflicts in your network.


Server 2012

Import-Module Servermanager

Install-WindowsFeature –name napas-policy-server –includemangementtools

PoE Zyxel Switch for Aruba Access Points Power Feeds - Part 6

Is when connected to a Cisco switch, to be configured for Tagging VLANS. If you don’t, your Access Points are unaware of the VLAN to be asscociated. You need to configure the VLAN for tagging It's a sort of passthrough so it can recongnize the VLAN for the appropriate client.


Add the VLANS for your Environment.



Aruba Access Points / Guest WiFi - WPA2 Enterprise - Part 7

Can be configured to use any of the RADIUS / NPS configurations. If you Tell it to use PEAP with MSCHAPv2 it does. But if you Authorize by Certificate it will also authenticate you to that network. The control goes via your NPS Service.


First we start with the Guest Network.

Go to your Master Controller IP Address, log in and Create a New SSID

LAN - WLAN - AGDLP Groups - Part 8

To keep in mind: Use the same AGDLP group for authenticating on both Wired – and – Wireless configs in your NPS Radius Server.

Mixed results because of different memberships, can cause many issues in regards to connectivity, depending on your robust infrastructure.


Create a - Domain Local - Security Group - NPS_VLAN_0200_CLIENTS In that group you place a

Global - Security Group - Windows_Client_Department_HR

and so forth.

Windows Clients and Group Policy - Part 9

The following is the configuration of Group Policy for DOT1X Authentication.

Please keep WIRED & WIRELESS Seperately!!!

Computer Policy Ethernet


Computer Configuration (Enabled)


Windows Settings

Security Settings

Certificate Template OSX_Client - Part 10

Requirements Template Issuing CA.

To configure the certificate template

  1. On the IssuingCA, in Server Manager, click Tools, and then click Certification Authority. The Certification Authority Microsoft Management Console (MMC) opens.
  2. In the MMC, double-click the CA name, right-click Certificate Templates, and then click Manage.
  3. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane.
  4. In the details pane, click the Workstation Authentication template.
  5. Click the Action menu, and then click Duplicate Template. The template Properties dialog box opens.
  6. Click the Security tab.

MAC OSX Clients - Post Deployment - Part 11

The Client Certificate will be generated on Deploy via OSX Server.

Buy a Mac Server Hardware and License. The license is only about 29 dollar.

Install the server > login and:

Go to the Profile Manager.

Default Guest VLAN (Last Thing to do) - Part 13


Do put unauthenticated users in a Guest VLAN. When you’re rolling out computers and rolling out Certificates, users will be assigned the renewal of a certificate, so unauthenticated ports, should only be within the physical office of your IT Department, nowhere else. While doing so, it’s best to have an lock on a door, where only IT personal is given access to, or at least someone is in the room.


When you have transferred all your clients to the Certificate Based NPS VLAN Assignment, you can continue protecting your network by putting unauthorized / unknown devices in a GUEST VLAN.

Wrapping up - Part 14 - Thank you for reading

So, you've reached the end. I was thrilled implementing this project and have overcome many issues along the way.

I'm happy you took the time to go through this all, and hope I've served you well.

What you've learned about is:

Certificate Authority

How To Install Certificate Services and Deploy

Installing the standalone offline root CA: