NPS Role and Configuration - Part 4

Is where you tell the system to put the client in your choice of VLAN. This must be done for LAN & W-LAN Separately.

 

Configure your AGDLP Domain Local Security Groups and place the child – Security Groups in their respective NPS_VLAN_020X_CLIENT Group. Do not use separate WLAN & LAN Domain Local Security groups, because you’ll probably get conflicts in your network.

 

Server 2012

Import-Module Servermanager

Install-WindowsFeature –name napas-policy-server –includemangementtools

 

Server 2016 / 2019

Get-windowsfeature npas

Install-WindowsFeature -Name npas –includemanagementtools

 

NPS Powershell Installation

nps.installation.powershell

 

Configure all of your Network Equipment to use an Pre-Shared Key for communicating with your NPS Radius Server.

 

Create an NPS Shared Secret

 

nps.shared.secret

 

Add all of your Network Devices to the List of Radius Client, include AP's, but not PoE Switches, you'll be tagging those in their configuration.

 

nps.radius.client

 

nps.radiusclient.result

 

Next Configure the Policies

nps.configuration.start

 

 

Select Configure 802.1X which will bring up the installation for Wired / Wireless

 

I'll show you some basics now, and at the end it should be configured completely by yourself.

 

What I do, is at least perform a check on the Wired and Wireless connection, in case someone attempts to make a connection.

In that case, I will not have the noise when I look up certain clients in the log.

 

nps.wireless.check

 

nps.config.radius.client

 

Note: this is an empty group.

 

nps.config.vlan.determenation

 

Leave the defaults.

 

nps.config.authentication.method

 

Remove Certificate Authentication, remove mschapv2 selections and select only pap, spap

 

nps.config.vlan.auth.methods

 

Do the same for Wired and Guest VLAN 500, but I'll show you next what to adjust

 

Next: Configure a Client VLAN, (you do all)

This one, Wired and Wireless seperately

 

nps.config.vlan200.clients

 

nps.config.vlan.200.domain.local.sg

 

nps.config.vlan200

 

nps.vlan200.peap.certificates.lan

 

And for WLAN

 

nps.vlan200.peap.certificates.wlan

 

Do this for VLAN200 to VLAN204

 

Enabling the Guest VLAN

Same proces, but here's what's different.

nps.config.vlan.500.guest.overview

 

Now when all enabled you can reorder the sequence in which the NPS Radius server responds to clients.

Don't forget to also set the Connection Request Policy's in the right order. You cannot program that.

 

nps.config.connection.request.order

 

 

Reorder Policy

# NPS Policy Re-Order configuration

# cmd, RunAs

 

netsh nps set np name="NPS_VLAN_0200_CLIENTS_WLAN" processingorder ="10"

netsh nps set np name="NPS_VLAN_0200_CLIENTS_LAN" processingorder ="11"

netsh nps set np name="Secure Wired (Ethernet) Connections - GUEST VLAN" processingorder ="250"

 

And if you filled the rest, this is applicable.

 

netsh nps set np name="NPS_VLAN_0201_CLIENTS_WLAN" processingorder ="12"

netsh nps set np name="NPS_VLAN_0201_CLIENTS_LAN" processingorder ="13"

netsh nps set np name="NPS_VLAN_0202_CLIENTS_WLAN" processingorder ="14"

netsh nps set np name="NPS_VLAN_0202_CLIENTS_LAN" processingorder ="15"

netsh nps set np name="NPS_VLAN_0203_CLIENTS_WLAN" processingorder ="16"

netsh nps set np name="NPS_VLAN_0203_CLIENTS_LAN" processingorder ="17"

netsh nps set np name="NPS_VLAN_0204_CLIENTS_WLAN" processingorder ="18"

netsh nps set np name="NPS_VLAN_0204_CLIENTS_LAN" processingorder ="19"

 

 

netsh nps set np name="Connections to Microsoft Routing and Remote Access server" processingorder ="100003"

netsh nps set np name="Connections to other access servers" processingorder ="100004"