1. Set up Radius Server as a DC
a. Make server a DC
2. Create a Security Group to Add users to. “WiFi – CorporateUsers”
3. Install a Certification Authority
a. Install the role
b. Configure the ADCS
Choose Enterprise CA
Keep all defaults (Choose Root CA)
Set Certificate to 2 years and create a scheduled task somewhere to replace this certificate before it expires.
c. Request computer certificate for the Domain Controller Certificate on the RADIUS Server.
4. Install NPS
a. –
b. Configure RADIUS server in FortiCloud / (Your Access Points)
c. Authentication on WPA2-Enterprise
Port 1812
Enter a the “Secret” PSK.
d. In the NPS config, change from NPS to RADIUS 802.1x
e. Add a RADIUS client (the AP)
f. For Auth Method, choose EAP.
g. Add the “WiFi – CorporateUsers” group.
h. Click on the NPS(Local) root node in the NPS Snap in, then click the Action > Register Server in Active Directory.
5. Export the DC Certificate, and deploy it to all devices that can join WiFi
6. Deploy WiFi Settings and certificate via Group Policy
a. Put the exported certificate in SYSVOLDOMAINScripts
b. Create Group policy, ComputerConfiguration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers
c. Import the certificate
d. Next in the same policy go to ComputerConfiguration > Policies > Windows Settings > Security Settings > Public Key Policies > Wireless Network (IEEE 802.11) Polices
e . Create a new Network Connection
f . Enter to Policy Name, Click Add and then “Infrastructure”.
g. Enter Profile Name, SSID for the Netowrk. On the Security tab choose WPA2-Enterprise/AES, EAP(PEAP).
h. In the same window, click properties, TICK:”Connect to these servers” and enter the FQDN of the RADIUS Server e.g. HVDC2.DOMAIN.local
i. From the Trusted Root Certification Authorities window, find and tick your certificate you imported earlier.
j. Next Click “Configure” – Here you can untick this to make users enter their password, or leave it ticked to have a Pass Thru style authentication.
7. Test
a. Connect to a laptop (With LAN connection if remote) and try to login with AD credentials. (If you opted for Pass Thru it should just connect).