Nowadays WiFi access is becoming a common standard in large number of companies. Unfortunatly it brings a lot of preoccupations concerning security aspect. Indeed, as you set a unique WPA password for a large number of users, you need to change the password of the WiFi access quite often (we already seen how to do this via gpo here) but it's rather cumbersome to set up.
So we will see here how to implement WPA Enterprise access in order to enforce the security and respond to the concerns outlined above.
Note II : PEAP-MSCHAPv2 uses a traditionnal login and password to authenticate users (based on Active Directory accounts here), while EAP-TLS use X.509 certificates.
We have two options for installing the NPS role: using PowerShell or the Graphical User Interface.
PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools
As seen previously on the diagram, a TLS tunnel is established between the supplicant and the NPS. To do so, we have the choice between creating a certificate on an ADCS server (method to be covered in the EAP-TLS tutorial) and creating a self-signed one. In this option, we need to deploy the certificate on each supplicant that will connect to the Access Points.
PS C:\Users\administrator.STD> New-SelfSignedCertificate -DnsName "nps.std.local" -KeyLength 2048 -CertStoreLocation cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(20)
In order to be recognized as a trusted entity by Windows Supplicants, the certificate should be exported and added to their list of trusted certificates. I will cover how to achieve this later for the Supplicant.
Now we need to create a Network Policy where we will define which group of users will be able to connect and the protocols used.
Now we need to configure our UniFi Network Server.
Last step, as explained previously, we need to declare the previously created certificate as legitimate. To do this, we must deploy the exported certificate on each Supplicant computer that needs to connect to the WiFi. We can do this manually or via GPO.
First, copy the certificate to the Supplicant.