+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, Enterprise Wi-Fi setup using Windows Server 2012 R2 IAS in Technical; I bought some Unifi access points last year for the school i work for. Until last year we only had ...
  1. #1

    Join Date
    Dec 2012
    Location
    Victoria
    Posts
    66
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Enterprise Wi-Fi setup using Windows Server 2012 R2 IAS

    I bought some Unifi access points last year for the school i work for. Until last year we only had a flat layer 2 network but now i have setup a layer 3 network with HP Procurve switches. I am now setting up Wi-Fi which will be used for both school owned laptops and BYO devices. Firstly I am trying to get it working for school owned devices with certificates which I got mostly working except the devices do not get assigned to the VLAN I have specified in NPS. They get an IP address from VLAN 2 which is the management VLAN for the access points. I havn't been able to figure out why this is not working so can anyone help me who has configured it before.
    Also, I would like to know the authentication methods I should be using to make sure it has the best security possible. Can anyone who has configured Wi-Fi for BYOD tell me what do I need to do so that students and staff can connect their devices to the school network. If I use certificates for authentication, should I be creating multiple certificates for different groups of users and computers.
    We have another problem that students will plug their devices into the Ethernet ports so is there a way to prevent them from doing so by not giving them access via wired network.

  2. #2

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 287 Times in 219 Posts
    Blog Entries
    1
    Rep Power
    176

    Enterprise Wi-Fi setup using Windows Server 2012 R2 IAS

    Quote Originally Posted by san_narula View Post
    I bought some Unifi access points last year for the school i work for. Until last year we only had a flat layer 2 network but now i have setup a layer 3 network with HP Procurve switches. I am now setting up Wi-Fi which will be used for both school owned laptops and BYO devices. Firstly I am trying to get it working for school owned devices with certificates which I got mostly working except the devices do not get assigned to the VLAN I have specified in NPS. They get an IP address from VLAN 2 which is the management VLAN for the access points. I havn't been able to figure out why this is not working so can anyone help me who has configured it before.
    Also, I would like to know the authentication methods I should be using to make sure it has the best security possible. Can anyone who has configured Wi-Fi for BYOD tell me what do I need to do so that students and staff can connect their devices to the school network. If I use certificates for authentication, should I be creating multiple certificates for different groups of users and computers.
    Have you tagged the VLANs that are used for the WLANs on the ports going to the APs? Also, why do you have the management VLAN handing out IP addresses? I would set the management network up as a static VLAN?

    We have another problem that students will plug their devices into the Ethernet ports so is there a way to prevent them from doing so by not giving them access via wired network.

    Yes, you could use MAC filtering so that your DHCP server doesn't hand out IP addresses. There are ways to defeat this though, so if you want to do it really properly, you'll need to use NAP.
    Last edited by seawolf; 5th March 2014 at 10:43 AM.

  3. #3
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    Quote Originally Posted by san_narula View Post
    the devices do not get assigned to the VLAN I have specified in NPS.
    You can only use the NPS to allow/deny access to a SSID with it's associated VLAN on Unifi, it does not currently support radius assigned vlans because it is not really enterprise wireless. I assume you have all the APs as radius clients on NPS? (because it doesn't run any auth centrally through the controller, it's a glorified central config for each AP, with bugs).


    Quote Originally Posted by san_narula View Post
    We have another problem that students will plug their devices into the Ethernet ports so is there a way to prevent them from doing so by not giving them access via wired network.
    Wired 802.1x is what I implemented on procurves to stop most of this, allowing only machines with a domain account (for the windows ones). MAC auth for the non windows machines, printers etc.

  4. #4

    Join Date
    Dec 2012
    Location
    Victoria
    Posts
    66
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for the reply.
    All the VLANs are tagged on the port AP is connected to except VLAN 2.
    Actually, management VLAN is set to static but I turned on DHCP to test as the devices were not getting the IP addresses.
    So do I need to install the certificates on all of our devices and set up a policy in NPS to authenticate only those with the certificate via wired connection.

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    For wireless byod you could still use 802.1x for wireless authentication, but prompt for the users AD credentials instead of a certificate, either will work, the VLAN you want them to join needs to be set for the SSID on the unifi and tagged on all the ports with a unifi AP.

    Wired authentication needs quite a lot of planning, however you can do computer/user based authentication, unauthenticated vlans, radius assigned vlans etc.

    If you are just wanting all BYOD devices on a separate vlan then you just need to create another ssid on the unifi controller with a different vlan assigned to it and tag the APs.

  6. #6

    Join Date
    Dec 2012
    Location
    Victoria
    Posts
    66
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Hi DMcCoy
    I have setup authentication with AD credentials for BYOD and it is working fine. At the moment, I have Unifi set to assign the clients to the VLANs based on SSIDs but I will have too many SSIDs this way. To avoid this I am actually trying to get NPS to assign the clients to the desired VLANs dynamically as I can have only 3-4 SSIDs for everyone. See Screenshot. I am thinking it's either the configuration in NPS or the switch is not able to handle it correctly. Can anyone confirm?
    NPS Dynamic VLAN assignment.jpg

  7. #7
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    Quote Originally Posted by san_narula View Post
    Hi DMcCoy
    I have setup authentication with AD credentials for BYOD and it is working fine. At the moment, I have Unifi set to assign the clients to the VLANs based on SSIDs but I will have too many SSIDs this way. To avoid this I am actually trying to get NPS to assign the clients to the desired VLANs dynamically as I can have only 3-4 SSIDs for everyone. See Screenshot. I am thinking it's either the configuration in NPS or the switch is not able to handle it correctly. Can anyone confirm?
    NPS Dynamic VLAN assignment.jpg
    The switch can do dynamic vlans, so can nps.

    Unifi can't.

    You cannot yet assign the vlan for a wireless client with Unifi and radius

    Which you should know, having posted in the unifi thread asking for this feature (although available on many other managed wireless products).

    https://community.ubnt.com/t5/ideas/v2/ideapage/blog-id/UniFi_Ideas/article-id/2/page/2

  8. Thanks to DMcCoy from:

    san_narula (6th March 2014)

  9. #8

    Join Date
    Dec 2012
    Location
    Victoria
    Posts
    66
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by DMcCoy View Post
    The switch can do dynamic vlans, so can nps.

    Unifi can't.

    You cannot yet assign the vlan for a wireless client with Unifi and radius

    Which you should know, having posted in the unifi thread asking for this feature (although available on many other managed wireless products).

    https://community.ubnt.com/t5/ideas/...le-id/2/page/2
    Thanks for pointing me to the link. I did search Ubiquiti forums but must have missed it. Will wait for the option to be available.

    Are you able to point me to a good guide to setup certificates for Domain and BYOD computers. I have created a new certificate from template in ADCS but it is not appearing in Group Policy or NPS. I am not sure what I am missing. This is the first time I am using certificates so do not much about it.

  10. #9

    Join Date
    Dec 2012
    Location
    Victoria
    Posts
    66
    Thank Post
    11
    Thanked 1 Time in 1 Post
    Rep Power
    0
    @ DMcCoy
    I read your your post above again and am feeling stupid now.
    Actually I didn't know at the time that any such thing is even possible so I wondered what the feature request is for. I had completely forgotten about it after that. And now I understand when I need it myself.



SHARE:
+ Post New Thread

Similar Threads

  1. Problems creating a VDI computers with Windows 7 template using Server 2012 R2
    By itrimble in forum Thin Client and Virtual Machines
    Replies: 1
    Last Post: 5th February 2014, 01:45 AM
  2. Replies: 3
    Last Post: 6th December 2013, 12:17 PM
  3. Replies: 0
    Last Post: 9th November 2013, 11:43 AM
  4. Replies: 20
    Last Post: 30th October 2013, 06:32 PM
  5. Replies: 0
    Last Post: 16th October 2013, 07:55 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •