Authenticate Wi-Fi Cloud Users with Microsoft Active Directory and NPS

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420)

You can use WatchGuard Wi-Fi Cloud APs to authenticate Wi-Fi users with their Active Directory credentials. RADIUS server authentication with 802.1x requires the WPA2 security setting on your SSID.

If you have an existing RADIUS server you can integrate the server with Active Directory for authentication and access management, or use the Microsoft NPS (Network Policy Server). In this example, we use NPS.

  • Each WatchGuard AP that will perform 802.1x authentication must be configured as a client on the RADIUS server. The AP must be configured with a static IP address or use DHCP reserved addresses.
  • All authenticating APs will need to be able to contact the IP address and port for the RADIUS server
  • The server must host a certificate from a Certificate Authority (CA) trusted by clients on the network
  • WPA2-Enterprise with 802.1x authentication can be used to authenticate wireless clients. The wireless client authenticates with the RADIUS server using any EAP method configured on the RADIUS server.

Configuration Steps

Add WatchGuard APs as RADIUS Clients in NPS

To add WatchGuard APs as RADIUS Clients in NPS:

  1. Open the NPS console.
  2. Go to the RADIUS Clients and Servers section.
  3. Right-click RADIUS Clients, then select New.

Screen shot of adding a RADIUS Client in Microsoft NPS

  • Select the Enable this RADIUS Client check box.
  • In the Friendly Name text box, type a descriptive name for the RADIUS client.
  • In the Address text box, type the IP address of the AP to add as a RADIUS client. (The AP must have a static IP address or use DHCP reservations.)
  • In the Shared Secret text box, specify a shared secret that acts as a password between the RADIUS server and client. You will use this same shared secret when you configure a RADIUS server profile in Wi-Fi Cloud. You can manually enter a shared secret or automatically generate the shared secret.
  1. Repeat this procedure for each WatchGuard AP that will perform 802.1x authentication on your wireless network.

Define a Network Policy in NPS

You must configure a Network Policy on the NPS server for wireless connections:

  1. Open the NPS console.
  2. Go to the Policies section.
  3. Right-click Network Policies, then select New.
  4. Configure these options in the Overview tab:

Screen shot of NPS network policy Overview tab

  • In the Policy name text box, type a name for this policy.
  • Select the Policy Enabled check box.
  • In the Access Permission section, select Grant Access.
  • In the Network connection method section, set the Type of network access server to Unspecified.
  1. Configure these options in the Conditions tab:

Screen shot of NPS network policy Conditions tab

  • (Optional) Add the Windows Groups condition and select the Active Directory user groups that can use this policy. This enables you to limit which clients can connect by their group membership. You can also select the Domain Users group to allow access for all authenticated domain users.
  • (Optional) Add the NAS Port Type condition with the value “Wireless - IEEE 802.11" or "Wireless - Other” to restrict the policy to wireless communications.
  1. Configure these options in the Constraints tab:

Screen shot of NPS network policy Constraints tab

  • In the Authentication Methods section, you must allow EAP authentication for wireless 802.1x authentication. There are multiple different types of EAP authentication available with NPS (EAP-MSCHAPv2, PEAP, Microsoft Smart Card or Other Certificate). Not all EAP types require certificates. If you choose a type that requires a certificate, you must create a Domain Controller certificate type on Windows Server for use with 802.1x authentication.

Wireless authentication does not work with other non-EAP authentication types.

  1. Configure any advanced options in the Settings tab if required in your environment.

Configure RADIUS Servers in Wi-Fi Cloud

To add a RADIUS server in Wi-Fi Cloud:

  1. Open Discover.
  2. Select Configure > WiFi > RADIUS.
  3. Click Add RADIUS Server.

Screen shot of the Add RADIUS Server page in Discover

  1. Type the IP address/FQDN, Shared Secret, and Port settings for your primary RADIUS server.
  2. Click Save.
  3. Repeat these steps to type the details for a additional secondary authentication server.

Configure RADIUS Authentication in Wi-Fi Cloud

To configure an SSID for RADIUS authentication in Wi-Fi Coud:

  1. Open Discover.
  2. Select Configure > WiFi > SSID.
  3. Select an existing SSID to configure with RADIUS authentication, or you can create a new SSID.
  4. Select the Security tab.

Screen shot of the RADIUS server configuration in an SSID Profile in Discover

  1. For the Security Mode, select WPA2, then select 802.1X.
  2. In the RADIUS Settings section, select the primary and additional RADIUS servers you created in the previous step.
  3. Click Save.

Troubleshooting

If you encounter issues with wireless client authentication with RADIUS, check the following:

  • Make sure your WatchGuard APs can communicate with the RADIUS server and that UDP ports 1812 and 1813 are open for communication.
  • Make sure the shared secret for the SSID matches the RADIUS client configuration on the RADIUS server.
  • Examine the successful and failed authentication attempts in the RADIUS server logs to help you narrow down the issue.
  • You can capture connection logs for the affected wireless client and check the RADIUS authentication flow by examining these messages. To capture connection logs:
  1. Open Discover.
  2. Select Monitoring > Wi-Fi, then select the Clients tab.
  3. Select the client.
  4. View the Client Connection Logs.

In the client connection logs, you may see messages such as:

<8005 No response from RADIUS authentication server while authenticating client>. This indicates that the RADIUS server is not responding to the request.

You may also see a reject message from the RADIUS server:

<1841 Received ACCESS REJECT from Authentication server> <1847 DOT1X authentication failed>

Check the login credentials and authentication mechanism used on the client side and the corresponding network policies on the RADIUS server.

Common Configuration Errors

These common configuration errors may result in failed RADIUS authentication attempts:

  • APs have not been added as RADIUS clients on the RADIUS server
  • APs are receiving their IP addresses dynamically through DHCP
  • Incorrect RADIUS Secret set in the SSID Profile or in the RADIUS client configuration on the RADIUS server
  • Network or Connection Request Policy on the NPS server is not configured correctly
  • Mismatch in Authentication Settings
  • Incorrect credentials entered by the client
  • No certificate installed on the RADIUS server or the certificate has expired if a certificate is required for EAP authentication
  • A Root Certificate is not added to the client device
  • Common error codes and possible solution

Error Codes with Windows NPS

The error codes detailed here are specific to Windows NPS, but the configuration checks should be performed regardless of the RADIUS server vendor:

Event ID 6273 with reason code 23 (bad/missing certificate)

Connection issues may occur because a digital certificate is not installed on the RADIUS server or an expired certificate. A certificate must be installed or renewed on your NPS server to establish TLS connections.

Event Viewer: An error occurred during the Networks Policy Server use of the Extensible Authentication Protocol (EAP)

Check the EAP log files for errors.

Event ID 13: A RADIUS message was received from the invalid RADIUS client (APs not added as clients)

WPA2 with 802.1x authentication requires that APs are added as RADIUS clients on your NPS Server. Your APs must have a static IP address or reserved DHCP IP address.

Event ID 18: An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid (bad shared secret)

When configuring the RADIUS server in an SSID Profile, you must type a shared secret. This value must match the shared secret configured when you added your APs as RADIUS clients on NPS.

Event ID 6273 :Reason Code 48 (bad network policy)

A Network Policy is incorrectly configured on your NPS server. It is also possible that the network policy order is not correct and while processing the client through the policies, there was no policy match.

Event ID 6273: Reason Code 66 (Auth settings mismatch)

Authentication settings incorrectly configured in the Network Policy on your NPS server.

Event ID 6273: Reason Code 8 (bad username or password)

Username or password incorrect, or the username may not exist in the Windows group specified in the Network Policy.

Event ID 6273 Reason Code 265 (untrusted CA)

Windows client devices provide the option to validate the server certificate sent by the server when using WPA2 with 802.1x. When implemented, the Certificate Authority must be added to the Trusted Root Certification Authorities list on the client.