Tuesday, December 31, 2013

BYOD with PEAP MSCHAPv2 Authentication for 802.11 Devices


   So you have a school district....you have kids...kids have smartphones...add a wireless system and now your in BYOD land! Implementing BYOD w PEAP and MSCHAPv2 I'm sure has been widely documented by now, but it wasn't so much last year when we rolled out our Meraki wireless system and decided to let the kids have at it. I'd figure I'd throw my little procedure up as guide for other systems looking to go BYOD. This is how I configured authentication and wireless access for our students and staff, whom already had user accounts in AD. 

I won't go into to our existing wireless and network infrastructure, but we opted to go with Meraki, which has turned out to be a nice cloud based controller system. We are a MS shop, so we looked for a way to marry the two.

First install the NPS role (Network Policy Server) on your server- we choose Windows 2012

Next thing to do once you have your NPS server up and running is configure your RADIUS clients. These will be the IPs or most likely the IP range of your wireless APs.

Now configure a Connection Request Policy- I just did the NAS Port type here

Next up...Network Policy. This is where you'll specify your conditions, domain groups authentication methods, etc to control access (see the screen shots below for the configuration I used). I should mention, you'll want to have a certificate for your NPS server installed prior to defining this policy. See below- we used a Go Daddy cert.







Now....after your NPS server is setup, you would configure your wireless controller to use the RADIUS\PEAP authentication you've just defined. This will tie it all in. Below is our Meraki dashboard settings for  our student SSID configuration. Other additional SSIDs if needed, would be the same. You can use the Called Station ID condition specified in the above screenshot to direct certain users to a particular SSID by combining it with a User Group condition.



Now, you'll probably want to set up some logging so you can see what's going on and if your setup is working. That;s done from the Accounting node of the NPS Snapin.


Well...there you have it. Pretty straight forward- as long as everything is configured as such, you'll have your devices logging in successfully. You may notice on some user's IOS devices, the NPS server certificate may still not be trusted....even though you are using a well known compatible cert vendor such as Go Daddy. You'll get a warning- this will happen the one time on initial login. Not a huge deal..We did not experience this with Android devices though. It's a nice setup over all- cool to have centralized access control using NPS, especially if you're MS shop to begin with. 

Hope this helps fellow BYODers !  ...



Sunday, December 29, 2013

My first blog post!

   I guess the time has come to join the party on this great super highway of information! Being a tech guy by trade and an all around "how to" type, it's only natural to dump what's rattling around in my noggin before it's obliterated by old age and one too many "adult beverages". Also, I've come to believe that that the greatest catalyst and ambassador for learning, is sharing. And there's no medium more convenient and persuasive for sharing than the Internet. I could never have been a successful, fully- functioning adult IT Tech without the scores of individuals who are generous enough to share their experiences and time, and document them for the world to see! You peeps are awesome! The days of reading the owner's manual and plugging it in are over-- nothing works as it should in technology. So with that...I hope to contribute and share my experiences with my fellow techies...and hell....maybe I'll even spare someone from an all-nighter hunched over their workstation, 10 cups of coffee coursing through their blood stream...praying their server comes up before the morning! I know you guys and gals have spared me many a time.....)


Until next time ...Dennis