802.1X Authentication using NPS + Meraki AP's

Looking to implement 802.1X authentication in a Windows Server 2019 domain environment using Protected-EAP authentication.  I have designed the tutorial to be worked on in the specific order to prevent downtime if deployed during the day.  

By creating the Network Policy server first, once we switch the authentication type from whatever to 802.1X via RADIUS, our Network Policy Server will immediately start processing requests and allowing machines on the domain.

Active Directory

First, we need to create a security group in Active Directory to allow a list of specific users and computers to login to the domain.  In this example, we will configure a group to allow access to the Wifi thsi will be called "Wifi-Authorised-Bears" - just a standard AD group will do here.

Network Policy Server

Follow this to get the NPS server done:

Create a new server

Add the machine to the domain

Give the machine a static IP as you do not want your NPS on a dynamic IP

Open up Server Manager, click Add Roles, click Next on the Before You Begin screen, check Network Policy and Access Services and click Next, click Next on the Introduction screen, check Network Policy Server (leave the rest unchecked) and click Next, click Install.

Once Network Policy Server is installed, launch the Network Policy Server snap-in (via MMC or Administrative Tools)

Inside of Network Policy Server, on NPC (Local), select RADIUS server for 802.1X Wireless or Wired Connections from the dropdown and click Configure 802.1X

On the Select 802.1X Connections Type page, select Secure Wireless Connections, and enter My Company’s Wireless.  Click Next.

Click on the Add… button.  Enter the following settings:

Friendly name: Wireless LAN Controller

Address: 10.555.41.22/24 (Enter your WLAN network range, or use an single if that is required)

Select Generate, click the Genereate button, and then copy down the Shared Secret the wizard generated (we will use this later to get the WLAN Controller to talk to the RADIUS server). 

Click OK.

Click Next.

On the Configure an Authentication Method, select Microsoft: Protected EAP (PEAP). Click Next.

Click Next on the Specify User Groups (we will come back to this).

Click Next on the Configure Traffic Controls page.

Click Finish

Click on NPS (Local) -> Policies -> Network Policies. Right click Secure Wireless Connections and click Properties.

Click on the Conditions tab, select NAS Port Type, and click Remove.

Still on the Conditions tab, click Add…, select Windows Groups and click Add…, click Add Groups…, search for "Wifi-Authorised-Bears"  and click OK.  Click OK on the Windows Groups dialog box, click Apply on the Secure Wireless Connections Properties box.  You should now have something like the image below:



802.1X - Secure Wireless Connections Conditions

Click on the Constraints tab.

Uncheck all options under Less secure authentication methods like the image below:

802.1X - Secure Wireless Connections Constraints



Click Apply

To see if its worked head over the event log and open up the "Network Policy and Remote Access" log:

The event ID will tell you what the story is and give you details, EventID 6272 is a granted connection and 6273 is a denied connection, if get a denied the data at the bottom will tell you the cause, like this:

Account Session Identifier: 46333932333043354138383633414335

Logging Results: Accounting information was written to the local log file.

Reason Code: 69

Reason: The telephone number of the network access server does not match the value of the Called-Station-ID attribute that is configured in the constraints of the matching network policy. NPS denied the Access-Request.

In this case we had a called-station-id required but the client did not give on, so this is what I did to simulate that error, I required NPS to get a caller-station-id of "LetsBreakIT" to be allowed on.



This is the server, and you will need to configure your Wifi to use this server as its RADUIS server, and there you have 802.1x and its a whole lot of fun.

I was using Meraki AP's to link this to, therefore I set my SSID to this: 


This was setup using this options for association requirements:



Then you need to set the server setup above in this section:

Then when people sign it, you will be using 802.1x - which is better than a PSK.