rss logo

Implementing WPA Enterprise (802.1X and RADIUS) with PEAP-MS-CHAP v2 on UniFi WiFi Access Points

WiFi Logo

Nowadays WiFi access is becoming a common standard in large number of companies. Unfortunatly it brings a lot of preoccupations concerning security aspect. Indeed, as you set a unique WPA password for a large number of users, you need to change the password of the WiFi access quite often (we already seen how to do this via gpo here) but it's rather cumbersome to set up.

So we will see here how to implement WPA Enterprise access in order to enforce the security and respond to the concerns outlined above.

⚠️Note: Be advise that the PEAP-MSCHAPv2 protocol smells bad from the buttocks and is poorly secure. Sources : https://www.youtube.com/. Consider using EAP-TLS in place! (For example see here) ⚠️

Note II : PEAP-MSCHAPv2 uses a traditionnal login and password to authenticate users (based on Active Directory accounts here), while EAP-TLS use X.509 certificates.

Network diagram showing EAP and RADIUS frames exchanged between a WiFi supplicant, an authenticator and a RADIUS server

Authentication Server

Installing the NPS Role

We have two options for installing the NPS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

Graphical User Interface (GUI)

  • Using the Server Manager dashboard, navigate to Add Roles and Features:
Windows Server | Server Manager Dashboard - Add Roles and Features
  • Select Role-based or feature-based installation:
Add Roles and Features | Select installation type
  • Select the server:
Add Roles and Features | Select destination server
  • Select the Network Policy Server role:
Add Roles and Features | Select server roles
  • Just click Next:
Add Roles and Features | Select features
  • Check Restart destination server and click on Install:
Add Roles and Features | Confirm installation selections

Generating Self-Signed Certificate

As seen previously on the diagram, a TLS tunnel is established between the supplicant and the NPS. To do so, we have the choice between creating a certificate on an ADCS server (method to be covered in the EAP-TLS tutorial) and creating a self-signed one. In this option, we need to deploy the certificate on each supplicant that will connect to the Access Points.

PowerShell

  • From the NPS server open a PowerShell console:
PS C:\Users\administrator.STD> New-SelfSignedCertificate -DnsName "nps.std.local" -KeyLength 2048 -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(20)

Export Certificate

In order to be recognized as a trusted entity by Windows Supplicants, the certificate should be exported and added to their list of trusted certificates. I will cover how to achieve this later for the Supplicant.

  • Open the Microsoft Management Console:
Windows Run window with 'mmc' in the Open field
  • Click Add/Remove Snap-in…:
MMC console with 'Add/Remove Snap-in' option selected from the 'File' menu
  • Select Certificates and click OK:
Add or Remove Snap-ins console with the 'Certificates' snap-in being added
  • Select Computer account:
Certificates Snap-in window with 'Computer account' selected
  • Select Local computer:
Select Computer window with 'Local computer' option chosen
  • Finally click to OK:
Add or Remove Snap-ins console with the 'Certificates' snap-in has been added
  • The generated certificate should appear under Certificates > Personal > Certificates:
Certificate in Personal Certificates folder of a computer certificate MMC console
  • Right-click on the certificate and select Export…:
Exporting a certificate in the Personal Certificates folder from a computer certificate MMC console.
  • Click Next:
Welcome screen of the Certificate Export Wizard in Windows.
  • Do not export the private key:
Screen prompting to export the private key in the Certificate Export Wizard.
  • Select certificate format, for example DER:
Exporting the certificate in DER format using the Certificate Export Wizard.
  • Specify the path where you want to export the certificate:
Specifying the path to export the certificate in the Certificate Export Wizard.
  • Click Finish:
Final step of the Certificate Export Wizard, offering to complete the export
  • The exported certificate should appear inside the specified directory:
Image of a certificate on a Windows desktop.

Configure NPS

  • Open the Network Policy Server Console:
Windows Run window with 'nps.msc' in the Open field

Declare Access Point as RADIUS Clients

  • Navigate to NPS > RADIUS Clients and Servers > RADIUS Client and click on New:
  • For each Access Point, provide a Name, set the IP address, and create a strong password (use the same one for every Access Point):
  • You should see all Access Point previously added in the RADIUS Clients folder:

Create a Network Policy

Now we need to create a Network Policy where we will define which group of users will be able to connect and the protocols used.

  • Click New in Network Policies folder:
  • Give a name to the Policy:
  • Click Add to specify the condition:
  • Select User Groups, and click Add Groups…:
  • Add an Active Directory group of users, such as Domain Users:
  • Click Next:
  • Select Access granted:
  • Choose Protected EAP (PEAP) as EAP type and edit its configuration:
  • Select the newly created certificate and choose Secured password (EAP-MSCHAP v2) as the EAP type:
  • Click Next:
  • Click Next:
  • Finally, click Finish to create the Policy:

UniFi Network Server

Now we need to configure our UniFi Network Server.

  • Go to the Profiles menu and create a new RADIUS profile:
  • Click on Create New:
  • Give a Name to the RADIUS profile and add the NPS server IP address for the Authentication Server and the RADIUS Accounting Server. Don't forget to add the password previously set on the NPS server, set the ports, and then click the Add buttons to validate the configuration:
  • Now, go to the WiFi menu, and either add a new WiFi profile or modify an existing one:
  • Set the Security Protocol and the RADIUS Profile:

Supplicant

Last step, as explained previously, we need to declare the previously created certificate as legitimate. To do this, we must deploy the exported certificate on each Supplicant computer that needs to connect to the WiFi. We can do this manually or via GPO.

Manually

First, copy the certificate to the Supplicant.

  • Open or click on Install Certificate:
  • Choose Current User or Local Machine; both should work:
  • Click Browse, then select Trusted Root Certification Authorities:
  • Then click Next:
  • Click Finish to complete import:
  • Click Yes on the Security Warning Window:

GPO

  • Create a new GPO and import certificate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities:

References