Tutorial 8. 02. 1. X Authentication via Wi. Fi Active Directory Network Policy Server Cisco WLAN Group Policy. Here is how to implement 8. X authentication in a Windows Server 2. I have a lot of event ids 1055 and others with a red mark in event viewer on a Windows 2008R2 Server configured as a DC MyDC1. lan I ran a portqueryui and it tells. R2 domain environment using Protected EAP authentication. I have designed the tutorial to be worked on in the specific order to prevent downtime if deployed during the day. By creating the Network Policy server first, once we switch the authentication type from whatever to 8. X via RADIUS, our Network Policy Server will immediately start processing requests and allowing machines on the domain. By configuring the Cisco Wireless LAN Controller or Group Policy first, clients will try connecting to a RADIUS server that doesnt exist or present invalid credentials. If you have any suggestions on how to better the implementation I demonstrate here, please drop a comment below to improve securitystability of these types of deployments. Active Directory. First, we need to create a security group in Active Directory to allow a list of specific users and computers to login to the domain. In this example, we will allow any authenticated user or machine on the domain to authenticate successfully to the RADIUS sever. In the screenshot below, we can see I have added both Domain Users and Domain Computers to a security group called Wireless. Access. Here is a screenshot with the above settings. Network Policy Server. Create a new Windows Server 2. R2 or Windows Server 2. Add the machine to the domain. Give the machine a static IP Ill use 1. Print spooler stopping automatically on Windows 10, Windows Active Directory real time issues and solutions Difference between windows server 20. Open up Server Manager, click Add Roles, click Next on the Before You Begin screen, check Network Policy and Access Services and click Next, click Next on the Introduction screen, check Network Policy Server leave the rest unchecked and click Next, click Install. Once Network Policy Server is installed, launch the Network Policy Server snap in via MMC or Administrative ToolsInside of Network Policy Server, on NPC Local, select RADIUS server for 8. X Wireless or Wired Connections from the dropdown and click Configure 8. XOn the Select 8. X Connections Type page, select Secure Wireless Connections, and enter My Companys Wireless. Click Next. Click on the Add button. Enter the following settings. Friendly name Cisco WLAN Controller. Address 1. 0. 1. Enter your WLAN Controllers IP addressSelect Generate, click the Genereate button, and then copy down the Shared Secret the wizard generated we will use this later to get the WLAN Controller to talk to the RADIUS server. Click OK. Click Next. On the Configure an Authentication Method, select Microsoft Protected EAP PEAP. Click Next. Click Next on the Specify User Groups we will come back to this. Click Next on the Configure Traffic Controls page. Click Finish. Click on NPS Local Policies Network Policies. Right click Secure Wireless Connections and click Properties. Click on the Conditions tab, select NAS Port Type, and click Remove. Still on the Conditions tab, click Add, select Windows Groups and click Add, click Add Groups, search for Wireless. Access and click OK. Click OK on the Windows Groups dialog box, click Apply on the Secure Wireless Connections Properties box. You should now have something like the image below Click on the Constraints tab. Uncheck all options under Less secure authentication methods like the image below Click Apply. Cisco WLANLogin to your Cisco Wireless Lan Controller. Add a RADIUS server to your controller. Click on the Security tab. Select AAA Radius Authentication on the left side. Click the New button in the top right. Server IP Address 1. The IP address of your NPS server we setup earlierShared Secret Format ASCIIShared Secret The long generated password you wrote down when setting up the Network Policy Server. Confirm Shared Secret Same password in previous step. Key Wrap unchecked. Port Number 1. 81. Server Status Enabled. Support for RFC 3. Enabled. Server Timeout 2. Network User Checked. Management Checked. IP Sec Unchecked. Here is a screenshot with the above settings. Create or modify a wireless network to use 8. X. Click on the WLANs tab. Create a new wireless network or select an existing WLAN ID to edit. On the WLANs AddEdit My SSID page, use the following settings. Security Tab. Layer 2 Tab. Layer 2 Security WPAWPA2. MAC Filtering Unchecked. WPAWPA2 Parameters. WPA Policy Unchecked. WPA2 Policy Checked. WPA2 Encryption AES checked, TKIP unchecked. Auth Key Mgmt 8. XHere is a screenshot of the above settings. Layer 3 Tab. Layer 3 Security none. Web Policy unchecked. AAA Servers Tab. Authentication Servers checked Enabled. Server 1 Select your RADIUS server from the dropdown. Local EAP Authentication Unchecked. Authentication priority order for web auth user Move RADIUS over to the right. Here is a screenshot of the above settings. Click Apply. Group Policy. Go to your domain controller and open up the Group Policy Management console. Right click the Organizational Unit you want to apply to policy to and select Create a GPO in this domain, and Link it hereNote, the policy must be linked to the OU containing a group of machines you want to have Wi. Fi access to or a parent of the OU. Enter in 8. 02. 1. X Wi. Fi Policy for the Name and click OKRight click your new GPO and click Edit. Navigate to Computer Configuration Policies Windows Settings Security Settings Wireless Network IEEE 8. Policies. Right click and select Create A New Wireless Network Policy for Windows Vista and Later Releases. Ensure the following settings are set for your Windows Vista and Later Releases policy. General Tab. Policy Name My Wireless Policy for Vista and Later Clients. Description Vista and later wireless network for my company. Check Use Windows WLAN Auto. Config service for clients. Here is a screenshot with the above settings. Click the Add button and select Infrastructure. Connection Tab. Profile Name My Network. Enter in your SSID Wireless network name that gets broadcasted and click the Add button. Check Connect Automatically when this network is in range. Here is a screenshot of the above settings. Security Tab. Authentication WPA2 Enterprise. Encryption AESSelect a network authentication method Microsoft Protected EAP PEAPAuthentication Mode User or Computer authentication. Max Authentication Failures 1. Check Cache user information for subsequent connections to this network. Here is a screenshot of the above settings with the Advanced tab open as well. Click OKNetwork Permissions Tab. Enter your network into Define permissions for viewing and connection to wireless networks if it hasnt been added already. Uncheck Prevent connections to ad hoc networks. Uncheck Prevent connections to infrastructure networks. Check Allow user to view denied networks. Check Allow everyone to create all user profiles. Uncheck Only use Group Policy profiles for allowed networks. Leave all Windows 7 policy settings unchecked. Here is a screenshot with the above settings note, you may change the settings above to be in accordance to your policy. Just ensure you dont check Prevent connections to infrastructure networks. Click OKRight click and select Create A New Windows XP Policy. Ensure the following settings are set for your Windows XP Policy. General Tab. XP Policy Name My Wireless Policy for XP Machines. Description My wireless policy for XP machines. Networks to access Any available network access point preferredCheck Use Windows WLAN Auto. Config service for clients. Uncheck Automatically connect to non preferred networks. Here is a screenshot of the above settings. Preferred Networks Tab. Click the Add button and select Infrastructure. Network Properties Tab. Network name SSID My SSIDDescription My wireless network. Uncheck Connect even if network is not broadcasting. Authentication WPA2. Encryption AESCheck Enable Pairwise Master Key PMK Caching. Uncheck This network uses pre authentication. Here is a picture of the above settings. IEEE 8. 02. 1. X Tab. EAP Type Microsoft Protected EAP PEAPEapol Start Message Transmit. Authentication Mode User or Computer Authentication. Check Authenticate as computer when computer information is available. Uncheck Authente as guest when user or computer information is unavailable. Screenshot of above settings. Click OKClick OK. Active Directory Replication Guide. In this section, learn about the basics of Active Directory replication and how it works in Active Directory. Find. information on multi master replication, topology structure and design, as well as tips for troubleshooting replication errors. After that, move on to the next section of our Active Directory Learning Guide, which focuses on Active Directory security. Understanding Active Directory replication. Active Directory replication is key to the health and stability of an Active Directory environment. Without proper and timely replication, a domain will be unable to function effectively. Replication is the process of sending update information for data that has changed in the directory to other domain controllers. It is important to have a firm understanding of replication and how it takes place, both within the domain and in multiple site environments. There are three main elements or components that are replicated between domain controllers the domain partition replica, the global catalog and the schema. The domain partition replica is the Active Directory database of a domain. Each domain controller maintains a duplicate copy of its local domain partition replica. Domain controllers do not maintain copies of replicas from other domains. When an administrator makes a change to the domain, that change is replicated to all domain controllers immediately. Each forest contains only a single global catalog. By default, the first domain controller installed into a forest is the global catalog server. The global catalog contains a partial replica of every object within each domain of the forest. The global catalog serves as a master index for the forest, which allows for easy and efficient searching for users, computers, resources and other objects. Any domain controller can be configured to act as a peer global catalog server. You should have at least two global catalog servers per domain and at least one per site. As changes are made to objects within the forest, the global catalog is updated. Once the global catalog is changed on one domain controller, it is replicated to all other domain controllers in the forest. Every domain controller in a forest has a copy of the schema. Just as with changes to the Active Directory database i. Active Directory schema are replicated to all other domain controllers in the forest. Fortunately, the schema is usually static so there is little replication traffic caused by schema changes. Multi master replication. Within Windows based Active Directory domains, each domain controller is a peer server. Each domain controller has equal power and responsibility to support and maintain the Active Directory database. It is this database that is essential to the well being and existence of the domain itself. This is such an important task that Microsoft elected to make it possible to deploy multi redundant systems to support Active Directory by making each domain controller a peer. Whenever a change occurs to any object within an Active Directory domain, that change is replicated automatically to all domain controllers within the domain. This process is called multi master replication. Multi master replication does not happen instantly across all servers simultaneously. Rather, it is a controlled process where each domain controller peer is updated and validated in a logically controlled procedure. As an administrator, you have some control over how multi master replication occurs. Most of your control is obtained through the use of sites. A site is a logical designation of domain controllers in a network that are all located within a defined physical area. In most cases, sites control traffic over high expense low bandwidth WAN links. When a domain exists on two or more sites, normal Active Directory replication between the domain controllers in different sites is terminated. Instead, a single server within each site, labeled as a bridgehead server, performs all replication communications. You can configure this bridgehead server for when replication is allowed to occur and how much traffic it can generate when performing replication. You can use sites to control replication even if you do not employ WAN links on your network. Sites effectively give administrators control over how and when AD multi master replication occurs within their network. Active Directory replication topology design. One of the secrets to an efficient and error free Active Directory infrastructure is a well designed replication topology. While this can be easy to design in a simple network, a large, complex network presents a challenge. Designing the AD topology efficiently is to construct it so that it takes advantage of the strengths and minimizes the weaknesses of the network. In a complex network, you are likely to have a number of different link speeds connecting remote sites. The best practices for Active Directory replication design include Design the AD topology to take advantage of the network topology and link speeds. Define lower speed links with higher cost site links. The cost of the links reduces as you get to faster areas in the topology. Avoid dead spots all sites must connect to each other eventually. I have seen some topologies that left certain sites isolated because they didnt design the site links to connect them. Site links should only have two sites per link. The exception to this is the Core site link which can have more. Defining more than two sites per link can result in unpredictable results when a DC failure occurs. Diagram the overall flow of replication like the figures here. You can use sophisticated features available in tools like HP Open. View see the example in Figure 3 or Microsoft MOM, or you can simply draw it in a Power. Point slide as I did in Figure 2. Youd be surprised at how many errors you will find by making a drawing of the topology. Dont define scheduling unless you really have a good reason, and then you should test it thoroughly. Since you can schedule replication over the site link as well as the connection object itself, and since the resultant replication schedule is a merge of the two, you can end up with a schedule that prohibits replication. You also define replication frequency, which further complicates it. For instance, if you schedule the site links to replicate Monday through Friday from 8 a. Tuesday and Thursday from 6 p. Unless you have a very slow or limited network such as VPN links, you should avoid this level of manual intervention. Run the AD in Windows 2. Forest mode. This means all DCs are at Windows Server 2. Windows 2. 00. 3 mode. This takes advantage of the new spanning tree and compression algorithms available in Windows Server 2. Windows 2. 00. 0. Monitor the AD. Once you get it in place, monitor it. One of the easiest ways to monitor it, outside of using Microsoft or third party tools, is using the Repadmin tool and its Replsum option Repadmin replsum bydest bysrc sort delta. This will provide a nice, neat table of all DCs in all domains in the forest, telling you how long it has been for outbound and inbound replication i. DC appears as a source and destination. Watching this over several days will give you a chance to find any holes in the topology. Troubleshooting Active Directory replication. Replication should occur automatically. When it doesnt, the best solution isnt just to force Active Directory replication, but to check out the topology. If the replication topology has become unstable or misconfigured, it needs to be corrected before initiating a manual replication procedure. The Knowledge Consistency Checker KCC creates the replication topology used for intra site replication automatically. Rather than creating a full mesh for replication, the KCC designs a topology where every DC has at least two replication partners and is no more than three hops away from any other DC. With such a topology, every DC can be fully updated with as little as three replication cycles. The REPAdmin tool from the Windows Support Tools and Resource Kit can be used to check the topology. The command repadmin showreps runs on a domain controller and produces a list of replication partners as designated by the KCC. To check the topology, verify that every DC lists at least two replication partners and that all named partners see each other as partners.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |