STEP 1 : Create Certificate
1. From the Start screen, click or search for Internet Information Services (IIS) Manager and open it.
2. Click on the server name.
3. From the center menu, double-click the “Server Certificates” button in the “IIS” section (it is in the middle of the menu).
STEP 2 : Install Microsoft Network Policy Server for Radius & 802.1x
From the Server Manager click “Add Roles or Features”
Make sure “Role-based or feature-based installation” is selected and click “Next”
Select the appropriate server in the next screen and click “Next”
Click on “Network Policy and Access Services”:
A box like this should pop up, click on “Add Features”:
Then click “Next”:
And click “Next” again:
And “Next” again:
And yet again, click “Next”:
And then click “Install”:
When it’s finished press “Close”:
STEP 3 : Configure NPS for UBNT Authentication
Next, have to set up server to allow domain authentication via 802.1x for wireless clients. Click on Start and find the icon for Network Policy Server and click on it:
On the window that open up drop down to “RADIUS Server for 802.1x Wireless or Wired Connections” and then click “Configure 802.1x”:
Make sure “Secure Wireless Connections” is highlighted, give it a sensible name and click “Next”:
The next screen is where we will add the details for all access points, so click “Add”:
Fill in the client area like this, note our “IP addresses” and “Shared Secret”. Probably want to make the “Shared Secret” some complex string, but for this example I’ve just used “firmwara*2”. Need to type this into the UAP controller for each AP. When complete click “Ok”:
When completed the process for the rest of access points, screen will probably look like this, click “Next”:
On the next screen, drop down the EAP type to “Microsoft: Protected EAP (PEAP)”, and then click “Configure”:
On this screen, select the certificate to present the clients connecting over Wifi. Certificate creation on STEP 1.
Then click “Next”:
The next screen lets us select which groups we want to allow to authenticate wirelessly, click “Add” and find appropriate group(s) and click “Next”:
Click “Next” on the following screen:
On the next screen click “Finish”:
Next, need to disable some insecure options. Under Policies, Network Policies, right click “Secure Wireless Connections” and click “Properties”:
Click on the Constraints tab:
By default, we have some insecure methods enabled:
Make sure they are all unchecked, like this and click “Ok”:
STEP 4 : Configure UAP Controller to Use NPS
Logon to controller as normal and click on “Settings”:
Click on “Create New Wireless Network” or edit an existing one. Fill in the Wireless Network like this, make sure you select WPA-Enterprise and fill in the IP Address and Share Secret of the appropriate details, in example it looks like the below. Click “Save”:
STEP 5 : Connect Client to UBNT Network
In the optional first step, we installed a certificate specifically to allow the Radius server to be trusted by our clients. If you’ve got a proper PKI in place then all your devices should trust the Radius server already, so your steps below may be slightly different than mine (I deliberately didn’t install the certificate for testing purposes).
After click “trust” client device will connected to network.