Tuesday, December 31, 2013

BYOD with PEAP MSCHAPv2 Authentication for 802.11 Devices


   So you have a school district....you have kids...kids have smartphones...add a wireless system and now your in BYOD land! Implementing BYOD w PEAP and MSCHAPv2 I'm sure has been widely documented by now, but it wasn't so much last year when we rolled out our Meraki wireless system and decided to let the kids have at it. I'd figure I'd throw my little procedure up as guide for other systems looking to go BYOD. This is how I configured authentication and wireless access for our students and staff, whom already had user accounts in AD. 

I won't go into to our existing wireless and network infrastructure, but we opted to go with Meraki, which has turned out to be a nice cloud based controller system. We are a MS shop, so we looked for a way to marry the two.

First install the NPS role (Network Policy Server) on your server- we choose Windows 2012

Next thing to do once you have your NPS server up and running is configure your RADIUS clients. These will be the IPs or most likely the IP range of your wireless APs.

Now configure a Connection Request Policy- I just did the NAS Port type here

Next up...Network Policy. This is where you'll specify your conditions, domain groups authentication methods, etc to control access (see the screen shots below for the configuration I used). I should mention, you'll want to have a certificate for your NPS server installed prior to defining this policy. See below- we used a Go Daddy cert.







Now....after your NPS server is setup, you would configure your wireless controller to use the RADIUS\PEAP authentication you've just defined. This will tie it all in. Below is our Meraki dashboard settings for  our student SSID configuration. Other additional SSIDs if needed, would be the same. You can use the Called Station ID condition specified in the above screenshot to direct certain users to a particular SSID by combining it with a User Group condition.



Now, you'll probably want to set up some logging so you can see what's going on and if your setup is working. That;s done from the Accounting node of the NPS Snapin.


Well...there you have it. Pretty straight forward- as long as everything is configured as such, you'll have your devices logging in successfully. You may notice on some user's IOS devices, the NPS server certificate may still not be trusted....even though you are using a well known compatible cert vendor such as Go Daddy. You'll get a warning- this will happen the one time on initial login. Not a huge deal..We did not experience this with Android devices though. It's a nice setup over all- cool to have centralized access control using NPS, especially if you're MS shop to begin with. 

Hope this helps fellow BYODers !  ...



No comments:

Post a Comment