Windows NPS with PEAP-MSCHAPv2 Authentication

The following components are used to prepare Microsoft NPS with PEAP-MSCHAPv2 Authentication

1. 1 x Windows 2019 Active Directory Domain Controller (DC), DNS Server with Enterprise Root CA Installed (192.168.1.200)
2. 1 x Debian 10 with ISC DHCP Server installed (192.168.1.220)
3. 1 x Windows 2019 Server with Network Policy Server (NPS) installed (192.168.1.180)
4. 1 x FortiGate 60E Firewall (192.168.1.1)
5. 1 x Cisco WLC 2504 Controller (192.168.1.196) + 1 x Cisco 1702I AP

Updated Posts for PEAP & EAP-TLS with Aruba WIFI

1. Setup NPS with PEAP for Aruba WIFI
2. Setup NPS with EAP-TLS for Aruba WIFI

PEAP uses Transport Level Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless laptop, and a PEAP authenticator, such as Microsoft NPS or any RADIUS server. PEAP does not specify an authentication method, but provides additional security for other Extensible Authentication Protocols (EAPs), such as EAP-MS-CHAP v2, that can operate through the TLS-encrypted channel provided by PEAP

Phase 1 – TLS Encrypted Channel

An IEEE 802.11-based association provides an open system or shared key authentication before a secure association is created between the client and the access point. After the IEEE 802.11-based association is successfully established between the client and the access point, the TLS session is negotiated with the AP. After authentication is successfully completed between the wireless client and NPS, the TLS session is negotiated between the client and NPS. The key that is derived within this negotiation is used to encrypt all subsequent communication.

Phase 2 – EAP-Authenticated Communication

EAP communication, which includes EAP negotiation, occurs inside the TLS channel created by PEAP within the first stage of the PEAP authentication process. The NPS authenticates the wireless client with EAP-MS-CHAP v2. The LAP and the controller only forward messages between the wireless client and RADIUS server. The Wireless LAN Controller (WLC) and the LAP cannot decrypt these messages because it is not the TLS end point.

Install Enterprise Root CA

1. Add a new Scope for 192.168.100.0/24 in /etc/dhcp/dhcpd.conf

subnet 192.168.100.0 netmask 255.255.255.0 {
        range 192.168.100.60 192.168.100.79;
        option routers 192.168.100.1;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.1.255;
        option domain-name-servers 192.168.1.200;
        option domain-name "lab.aventislab.info";
}

Refer to Debian10 ISC DHCP Server for configuration of ISC DHCP Server

1. Generate & Import SSL Cert by following Request SSL Certificate from Microsoft CA with Certreq
2. Enable NPS Role, Register it with AD Server and Create a RADIUS Client

#Enable NPS - Radius Server 
Import-Module ServerManager
 
Add-WindowsFeature -Name NPAS-Policy-Server -IncludeManagementTools
 
#To register NAP in AD 
#To add the NAP Server to "RAS and IAS Server" Group 
netsh ras add registeredserver
 
#Create a Radius Client 
New-NpsRadiusClient -Name WLC2504 -Address 192.168.1.196 -sharedsecret P@ssw0rd -NapCompatible:$true

3. Open NPS Console, and Select RADIUS Server for 802.1x Wireless or Wired Connections. Click on Configure 802.1x

4. Select Secure Wireless Connections and enter a Friendly Name

5. Add WLC2504 Radius client which we had created previously

6. Select Microsoft : Protected EAP (PEAP) and Select the SSL Cert generated for NPS Server to continue

7. Add LAB\Domain Users to allow Domain Users to login

8. Click Next to continue with default settings

9. Click Finish

10. Disabled the Use Windows Authentication for all users – Default Policy created by NPS Wizard

11. Uncheck the less secure Microsoft Encrypted Authentication (MS-CHAP) and use only MS-CHAP-v2 for Authentication

1. Create a new VLAN Interface (VLAN100) with IP Address of 192.168.100.1/24 tagged to Port 1

config system interface 
	edit VLAN100
		set vlanid 100
		set vdom root
		set interface internal
		set ip 192.168.100.1/24
	end

2. Create 2 Firewall Policies
   • To allow VLAN 100 to WAN
   • To allow VLAN 100 to LAN with NAT disabled

config firewall policy
    #use next availble Policy ID 
    #To allow VLAN 100 to WAN 
    edit 0
        set name "VLAN101ToWAN"
        set srcintf "VLAN100"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
end

config firewall policy
    #use next availble Policy ID 
    #To allow VLAN 100 to LAN with no NAT
    edit 0
        set name "VLAN101ToLAN"
        set srcintf "VLAN100"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable 
    next
end

1. Create a new Interface – VLAN100 with Interface IP = 192.168.100.254/24

#Interface for VLAN100
config interface create "VLAN100" 100
config interface address dynamic-interface "VLAN100" 192.168.100.254 255.255.255.0 192.168.100.1
config interface dhcp dynamic-interface "VLAN100" primary 192.168.1.220
#Assign to Port 1 of WLC Controller
config interface port "VLAN100" 1

2. Add NPS as Radius Server

#Add NPS as RADIUS Server
config radius auth add 1 192.168.1.180 1812 ascii P@ssw0rd
config radius acct add 1 192.168.1.180 1813 ascii P@ssw0rd

3. Create a New WLAN – VLAN100

#2 = Index, 1st parameter = WLAN ID, 2nd Parameter = SSID
config wlan create 2 "VLAN100" "VLAN10"
config wlan interface 2 "VLAN100"
config wlan radius_server auth add 5 1
config wlan radius_server acct add 5 1
config wlan enable 2

1. Connect to VLAN100 by checking use my Windows User Account for Domain Joined Machine

Enterprise Root Cert need to be manually imported for non-domain joined PC

Reference Links

1. https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html