NPS PEAP authentication setup:
On the NPS, create a new policy by clicking NPS(local) and then select RADIUS server for 802.1X wireless or Wired Connections and then proceed to click configure 802.1x which will open a wizard that will guide you to create an NPS policy.
However, you can use the following screenshots which represent the settings of a duplicated policy and use these settings in the wizard if you don’t have an existing policy to duplicate against.
In this tab, you will be required to configure the NAS port type, which should be Ethernet. This way only ethernet users will authenticate against this policy.
NAS port type:
You can simply click add groups and define the user Active Directory group you would like to match with this policy. NPS will authenticate the dot1x user against this AD group.
In the constraints tab you are meant to define all the constraints that must be matched before authorization request is sent to the Active Directory server. It is best to leave everything to default but choose the type of authentication you would like to use, i.e. password based (PEAP) or certificate based authentication.
When configuring Ethernet based 802.1x, the following three attributes must be added for the switch to make sense of the information returned from the NPS. The Tunnel-Pvt-Group-ID defines the vlan to configure on the port upon successful authentication against this policy.
For wireless 802.1x based authentication, instead of tunnel attributes, you only need to specify the filter id which correlates with the SSID on the access point to grant access to the user upon successful authentication.
Since NPS policies are read based on the serial order of policies, it is important to ensure the defined NPS policy is placed before any other policy that has the same AD group configured in it. If this is not ensured, the switch would authenticate against a policy that doesn’t return any vlan id back to the switch resulting in lack of vlan assignment on the switch port. You can, however, have the same AD group configured in two different policies that have different constraints configured under the conditions tab. For example, a policy with wireless constraint will not authenticate against an ethernet based user and vice versa.
Got questions? Leave a comment! Let’s chat.