We want it to use the active directory so select Enterprise and click on Next. Select Root CA and click on Next to continue. The default CA name is also fine, it will use the computer name and domain name for this.
The default validity period for the root CA certificate is 5 years. If you selected the web enrollment option you will see the installation wizard for IIS. You can read the introduction if you like or click on Next to continue. Click Install to continue. Once the installation is done you will see another notification that you should enable Windows updates. Click on Close. If you only want to use PEAP then you can skip this step.
Select https in the Type dropdown box and make sure the SSL certificate has been selected. Click on OK to continue. This concludes the installation of the certificate server and IIS. It has a lot of features and is pretty easy to configure.
First we will have to install it. The Network Policy server is now installed. With NPS up and running we are ready to create user and computer certificates. Let me show you how to check if you have a computer certificate and otherwise how to generate one.
Select Certificates from Available snap-ins and click on Add. At the right side you can see that he computer certificates are now selected. Click on OK. Right mouse click on the white space and select Request New Certificate.
Make sure you see that it can be used for client and server authentication before you continue. Your server now has a certificate that can be presented to wireless clients when they request the identify of the RADIUS server. Now we can configure a wireless policy…. We are talking about the wireless LAN controller here. Enter a password in the Shared secret field.
Now we can create a network policy. Leave the type of network access server as Unspecified. De-select all options in the following screen. Here you can select the authentication types that you want.
You will see it in the overview. Make sure you have selected the correct certificate. You will see the password expire option when the password is already expired in Active Directory. Choose the Network Policy Server and install the software.
For example, you can add Active Directory user groups as a condition. Only those users who belong to a specified Windows group are authenticated under this policy. Apply packet captures to ensure the authentication request leaves the ASA interface from where the server is reachable.
Once you open Event Properties, you should be able to see the reason for failure as shown in the example. In this example, PAP was not chosen as the authentication type under Network policy. Hence, the authentication request fails. Contents Introduction. Prerequisites Requirements There are no specific requirements for this document.
Components Used The information in this document is based on these software and hardware versions: ASA that runs Version 9. You might have to reuse this password when critical problems arise and the database needs to be accessed manually. Step 16 Click Next.
Step 17 For each option that you require, check the corresponding check box. The actions that are associated with the options occur after the setup program ends:. TXT in Windows Notepad. Step 18 Click Next. If you so chose, the ACS services start.
Step 19 Click Finish. The setup program exits. TXT file, those options occur now. Step 20 If you did not choose the options in Step 17 :. Note During installation a setup log text file, acssetup. This log records each stage of the installation process that is completed, and can be used for troubleshooting.
If you want ACS to authenticate users with a Windows domain user database, after you install ACS you must perform additional Windows configuration, which is discussed in Windows Authentication Configuration, page You can reinstall ACS over the same version that is already installed. This procedure is also known as overinstalling ACS. You can also upgrade to ACS 4. You can upgrade and reinstall ACS with the existing configuration and database information, or without preserving the data from the existing installation.
The upgrade process to ACS 4. The new ACS 4. If the database contained multiple representations of the same MAC address, the redundant MAC addresses created by the conversion will be removed. Use this procedure to reinstall or upgrade ACS if you want to preserve all existing configuration and database information.
Close all applications or command windows that are accessing any directory in the ACS directory. The installation cannot succeed if another process is using the ACS directory or any of its subdirectories. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, ACS may not function reliably. An information dialog box displays some details about Windows authentication.
Step 4 Click OK. Step 5 Read the software license agreement. Step 6 After you have read the information in the Welcome dialog box, click Next. Step 7 If you have completed all items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next.
After you click Next , the Previous Installation Location dialog box appears. Step 8 Check Yes, keep the existing configuration. If you are uncertain about keeping the configuration, click Explain to see details on keeping the existing configuration. Step 9 Click Next. Step 10 To change the installation location, enter the new path name or click the Browse button to select the drive and path where the setup program installs ACS.
Step 11 Click Next. Step 12 Enter a password for database encryption. Step 13 Click Next. Step 14 For each option that you require, check the corresponding check box. You can change the installation location. Step 8 Choose the agent services that you want to use:. Click Next. The Configuration Provider dialog box appears. Note If you enter a hostname, be sure that DNS is operating correctly or that the appliance hostname is in the local hosts file. Step 10 Click Next.
Step 11 Select the reboot option that you want. Note To complete the installation successfully you must reboot. If you chose not to reboot now, do so before you use remote agent services. Step 12 Click Finish. The setup program exits. If you chose to reboot the computer automatically, Windows restarts. Note If you are reinstalling the remote agent after uninstalling it, the previous configuration of the remote agent service was lost during the uninstallation.
For more information, see Windows Authentication Configuration. No special steps are required. The upgrade process entails uninstalling the old version of the remote agent and installing the new version. If ACS uses Windows databases to authenticate users, you must perform additional configuration for reliable user authentication and group mapping.
Requirements vary depending on whether you installed the remote agent on a domain controller or member server. When ACS Remote Agent for Windows runs on a domain controller and you need to authenticate users with a Windows user database, the additional configuration required varies, depending on your Windows networking configuration. Some of the subsequent steps are always applicable when the remote agent runs on a domain controller; other steps are required only in certain conditions, as noted at the beginning of the step.
Perform only those steps that always apply and those that apply to your Windows networking configuration:. To meet Windows requirements for authentication requests, ACS must specify the Windows workstation in to which the user tries to log.
Because ACS cannot determine this information from authentication requests that AAA clients send, it uses a generic workstation name for all requests. In the local domain, and in each trusted domain and child domain that ACS will use to authenticate users, ensure that:.
For more information, see the Microsoft documentation for your operating system. Step 2 Verify the server service status. The remote agent depends on the Server service, which is a standard service in Microsoft Windows. On the computer that is running the remote agent, verify that the Server service is running and that its Startup Type is set to Automatic. Tip To configure the Server service, use the local administrator account to log in to the computer that is running ACS.
The services appear alphabetically. Note This step is required only if ACS authenticates users who belong to trusted domains or child domains. You can support one or more protocols, but must ensure that:. In addition to the previous setting, if you want to use NTLM version 2, you must also ensure that each:. Refer to the Microsoft website. This version does not require any patch. Step 4 Create a user account.
Tip If you upgraded or reinstalled the remote agent, and you created a user account for the previous installation, complete this step only if you want to use a different user account to run the remote agent service. In the domain of the domain controller that is running the remote agent, you must have a domain user account that you can use to run the remote agent service as explained in subsequent steps in this procedure. Create a domain user account. Use this user account to run the remote agent service.
The user account does not require any particular group membership in the domain. Tip Give the user account an easily recognizable name, such as ACSuser.
If you enable audit policies, Event Viewer entries with this username will make it easier to diagnose permissions problems that are related to failed ACS authentication attempts.
To the user account that you create, grant Read all properties permission for all Active Directory AD folders containing users that ACS must be able to authenticate. Tip You can access the security properties of an AD folder of users by right-clicking the folder, selecting Properties , and clicking the Security tab.
Click Add to include the username. For more information, see Windows Server Active Directory. Step 5 Configure Local Security policies. Tip If you upgraded or reinstalled the remote agent, and you completed this step for the previous installation, it is required only if you want to use a different user account to run the remote agent service.
0コメント