Setup NPS with PEAP for Aruba WIFI

Steps on how to setup NPS with PEAP for Aruba WIFI

EAP-PEAP is an 802.1X authentication method that uses server-side public key certificates to authenticate clients with server. The PEAP authentication creates an encrypted SSL/TLS tunnel between the client and the authentication server.

Exchange of information is encrypted and stored in the tunnel ensuring the user credentials are kept secure.

Microsoft CA Root Enterprise

Setup Microsoft CA Root by following Configuration of Microsoft CA with PowerShell

Microsoft Network Policy Server (NPS)

Installation of NPS in Windows 2019 Server

• Enable NPS Role and register it with AD
• Create a RADIUS Client for Aruba IAP (192.168.1.240)

#Enable NPS - Radius Server 
Import-Module ServerManager

Add-WindowsFeature -Name NPAS -IncludeManagementTools

#To register NAP in AD 
#To add the NAP Server to "RAS and IAS Server" Group 
netsh ras add registeredserver

#Create a Radius Client 
New-NpsRadiusClient -Name IAP -Address 192.168.1.240 -sharedsecret P@ssw0rd!@#$ 

Refer to Configuration of NPS on how to

• Prepare a Certificate for NPS for PEAP
• Configuration of Connection Request Profile & Network Policies

We try to use Let’s Encrypt wild card SSL Certificate, but it FAILED to work.

High Level steps on how to configure Aruba Instant AP for EAP-PEAP Authentication with NPS Server

1. Define a Auth-Server to point to NPS Server
2. SSID Profile with WPA2-Enterprise with Authentication Server
3. Role and Access Rule
4. Dynamic RADIUS Proxy
5. Replace the 1xCA & 1xCert in Aruba IAP – Optional

Auth-Server (RADIUS)

Create a new Auth-Server with the IP Address of NPS Server with pre-share key configured in NPS

Default value for Auth-Server

• port 1812 – Default Port for Radius Authentication
• acctport 1813 – Default port for Radius Accounting

IAP315 (config) # wlan auth-server NPS
 ip 192.168.1.232
 key P@ssw0rd!@#$

SSID-Profile

• termination – When enabled, this command reduces network traffic to the external RADIUS server by terminating the authorization protocol on the Instant AP. It is recommended to disabled Termination if RADIUS, like NPS is used for authentication
• opmode wpa2-aes – WPA-2 with AES encryption and dynamic keys using 802.1X.
• server-load-balancing – Enables load balancing across two RADIUS servers if two authentication servers are configured for the SSID. This is enabled by default

IAP315 (config) # wlan ssid-profile LAB
IAP315 (SSID Profile "LAB") # enable
IAP315 (SSID Profile "LAB") # type employee
IAP315 (SSID Profile "LAB") # essid LAB
IAP315 (SSID Profile "LAB") # opmode wpa2-aes 
IAP315 (SSID Profile "LAB") # auth-server NPS

#Optional 
IAP315 (SSID Profile "LAB") # auth-server NPS1
IAP315 (SSID Profile "LAB") # server-load-balancing 

Termination Enabled – Authentication Type = PEAP show in the event viewer in NPS Server

Termination Disabled – No Authentication Type show in NPS Server as it had been terminated in Aruba Instant AP

Role and Access Rule

Access Rule for unrestricted Access is created

IAP315 (config) # wlan access-rule LAB
IAP315 (Access Rule "LAB") # rule any any match any any any permit

Dynamic RADIUS proxy

Enable it to allow the Virtual Controller network to use the IP address of the Virtual Controller when communicating with the external RADIUS servers.

By default, the IP Address of the Master Virtual Controller will be used to communicate with External RADUIS Server

IAP315 (config) # dynamic-radius-proxy
IAP315 (config) # end
IAP315# commit apply
committing configuration...
configuration committed.

Replace the 1xca & 1xcert in Aruba IAP – Optional

Login to CA Server and export Root CA with private key if Authorization Protocol is terminated on the Instant AP

Backup-CARoleService  -Path C:\Temp  -KeyOnly -Password (ConvertTo-SecureString "P@ssw0rd!@#$" -AsPlainText -Force)

Login to NPS Server and export the certificate used by PEAP to C:\temp\nps.pfx

$PfxCert = Get-ChildItem -Path cert:\LocalMachine\my | ? Subject -like "CN=nps*"
$PfxPass = ConvertTo-SecureString -String "P@ssw0rd!@#$" -Force -AsPlainText

$PfxCert | Export-PfxCertificate -FilePath C:\temp\nps.pfx -Password $PfxPass

Convert PFX to PEM with openssl

openssl pkcs12 -in MGMT.pfx -out MGMT.pem -nodes
openssl pkcs12 -in RootCA.pfx -out RootCA.pem -nodes

Copy the PEM file to C:\TFTP-ROOT and replace the 1xca & 1xcert in Aruba IAP

IAP315# copy tftp 192.168.1.232 MGMT.pem system 1xcert P@ssw0rd!@#$
IAP315# copy tftp 192.168.1.232 RootCA.pem system 1xca P@ssw0rd!@#$

Verify the Server Thumbprint display in Windows 10 is the same with MGMT.pem uploaded to Aruba IAP

Get-ChildItem -Path cert:\LocalMachine\my | Select Subject, Issuer, Thumbprint | ? Subject -like "CN=nps*"

Subject                                              Issuer                                               Thumbprint
-------                                              ------                                               ----------
CN=NPS.LAB.AVENTISLAB.COM                   CN=AventisLab Root CA, DC=LAB, DC=AVENTISLAB, DC=COM 16E56CCB3734052FDF3F7026BE6D4D9689DBD4F0

Group Policy can be used to enforce the SSID with EAP-PEAP configured for domain joined computer by following Deploy Wireless Network with Group Policy

Windows 10 machine will be connected to LAB automatically after users login to AD Domain

Connect to LAB with valid AD Credential and click Trust to accept the NPS Certificate

Configuration below is based on Android One Phone – Mi A3

• CA Certificate – Do Not Validate
• Enter username in Identify & Anonymous Identify

User who are using macOS can connect to WIFI with PEAP Authentication with their AD Domain Credential (No Certificate is required)