Howto/Spacenet/Setup Network Policy Server

From SpaceFED
Jump to: navigation, search


If your hackerspace would be running Microsoft Active Directory (for some reason) you could use Microsoft Network Policy Server (NPS) to connect to spacenet, if you're into that.

Side note: Be aware that you could also use FreeRADIUS with Microsoft Active Directory as your user directory as well, using NTLM Auth.

What do you need?

  • Microsoft Active Directory server up-and-running
  • Network Policy Server installed, registered in Active Directory (minimal Windows Server 2008)
  • Microsoft Certification Authority (optional if you want to run EAP-TLS)
  • Certificate installed on the server suitable for use with the RADIUS server (NPS)
  • Shared secret from your country node to connect (see Howto/Spacenet/Applying)
  • Accesspoint with WPA2-Enterprise support


Asuming NPS is registered in AD, lets begin. Otherwise, right-click NPS --> Register server in Active Directory.

1) Add RADIUS clients

You will need to add at lease two RADIUS clients: your AP and the country node (using the supplied country node shared secret).


2) Add Connection Request Policies (CRP)

First add a CRP for local authentications. All authentication requests from our own realm (in this case "spacewin.test") should be authenticated on this RADIUS server.



Secondly add a "Remote" policy which will forward all other requests to the country node. Use the supplied shared secret from your country node here.

Make sure you do not send accounting information to the country node, this information should not be sent there.






3) Add Network Policies

For local PEAP-EAP-MSCHAPv2 and/or EAP-TLS authentication you will need to setup at least one Network Policy.

In this policy we are matching on group membership of "Domain Users" in the domain "SPACEWIN". The NAS Port Type should be "Wireless - IEEE 802.11" to make sure the request is coming from an AP (and not a VPN device or something like that).


Under "Constraints" > "Authentication Methods" we will need to select the supported EAP Types. In this case we are both supporting PEAP-EAP-MSCHAPv2 (username/password) named "Microsoft Protected EAP (PEAP)" and EAP-TLS (certificates) named "Smart Card or other certificate".

Depending on your deployment select either one of these two.

Make sure you uncheck "MS-CHAP-v2" and "MS-CHAP" under "Lese secure authentication methods" as we are not supporting these methods directly, only in EAP (inside of a TLS tunnel).


Check if a certificate is selected:



4) Test it

After creating the Network Policy you should have a working solution. If not, use things like the Event Viewer > Security to debug.