Meraki – Network Policy Server (NPS) and RADIUS with WPA2-Enterprise

Below is a quick guide on how to setup WPA2-Enterprise with Meraki Wireless Cloud based Solution using Microsoft Windows 2008R2 server.

This will allow your Windows authenticated users seamlessly to connect onto a SSID you present without them having to enter any key etc…  It will negotiate trust based on certificate and AD credentials cached onto the machine transparently.

1) Setup a Windows 2008R2 server and install the NPS (Network Policy Server) role on the server.

2) Open NPS on the server.  Select “Templates Management” and right-click “Shared Secret”

3) Right click and select “New Radius Shared Secret Template”

4) Give the template a name and select “manual” and a “shared secret”.  Select “OK”

Meraki-NPS-Radius-WPA2-Enterprise-001

5) Next select “RADIUS Clients” and “new” under “RADIUS Clients and Servers”

Meraki-NPS-Radius-WPA2-Enterprise-002

6) Add each Meraki AP you will enable WPA2-Enterprise. Give it a “friendly name”, “static IP” of the AP and then “shared secret” from the template created earlier.

Meraki-NPS-Radius-WPA2-Enterprise-003

7) Next right-click “Connection Request Policies” and select “new” under “Policies”

Meraki-NPS-Radius-WPA2-Enterprise-005

8) Give it a policy name.  Make sure policy is “enabled” and type of network access server is set to “Unspecified”

Meraki-NPS-Radius-WPA2-Enterprise-006

9) Select the “Conditions” tab and select “add”.  Then tick “Wireless  - IEEE 8.02.11 under “Common 802.1X connection tunnel types”.  Also tick “Wireless – Other” under “Others”.  Select “OK” twice to exit policy (rest default).

Meraki-NPS-Radius-WPA2-Enterprise-007

10) Next right-click “Network Policies”  and “new” under “Policies”.

Meraki-NPS-Radius-WPA2-Enterprise-008

11) On the “Overview” tab  select:

a) Policy Name: Give it  a friendly name

b) Policy State: “Policy Enabled”

c) Access Permission: “Grant Access” and tick “Ignore user account dial-in properties”

d) Network Connection Method: “Unspecified”

Meraki-NPS-Radius-WPA2-Enterprise-009

12) Next select “Conditions” tab -> “add” and make sure you have:

a) NAS Port Type: Wireless – IEEE 802.11 or Wireless – Other (same as before)

b) I have specified a “Windows Group” – domain users.  You can make a specific group if you want to tie down who can use the wireless.

Meraki-NPS-Radius-WPA2-Enterprise-010

13) Under “Constraints” tab  -> Follow the screen shot below.  We have an internal CA that handles all the certificates.  If you don’t have this in place you can install IIS 7.5 on the server and assign a self signed certificate.

Meraki-NPS-Radius-WPA2-Enterprise-011

Meraki-NPS-Radius-WPA2-Enterprise-012

14) Now login to your Meraki Dashboard and select the “Network” you want to enable WPA2-Enterprise.

15) Select “Configure” and then “Access control” from the menu on the left.  Make sure the correct SSID is selected.

Select under:

a) Associations Requirements select: “WPA2-Enterprise with my RADIUS server”

b) Splash page: “None (direct access)”

c) RADIUS server: click “add server” and enter the NPS servers “internal IP” address with Port:1812 (make sure this is open through your firewall).  Enter the same “shared secret” setup earlier.

16) Save and select “Test” option by entering network credentials of a user with password.

If all successful you are good to go!

Meraki-NPS-Radius-WPA2-Enterprise-013