RADIUS authentication

- [Instructor] I previously set up a network policy server, so now it's time to set up the client portion. But first, we have to go back into the domain controller, which is also the network policy server, and go to Tools and go to Group Policy Management. Now, you can see the root level of my domain, and you can also see the organizational unit where I set up the network policy server PC. So I can create a group policy object in either the organizational unit where I want to apply it or at the root level, which will affect every different computer. Either way, just choose the one that's right for you. I'm going to choose the root option so it covers all different computers in the future, if I'd like to, and choose to create a GPO in this domain and link it here. And I'll call this one NPS for network policy server. And it automatically linked it right to my root level. Now, I'm going to right-click and choose to edit it. And now you can see I can apply this to either computer policy configurations or user policy configurations. Before I make an edit to this group policy, I'm going to go back into group policy management and go to security filtering. So you can see it already has added in all authenticated users, but I also need to add in my authenticated computers as well. I previously created a group called NPS, and I put my Windows 11 computer into it. So now I've gone ahead and added that to make sure that my computer is going to be authenticated. Now, I can go back to my policy and I can edit it. This is going to be a computer configuration policy, so I'm going to expand policies and Windows settings and then security settings, and I'll go down to public key policies. I'm going to go to where it says Certificate Services Client - Auto-Enrollment, and it's going to use that certification authority that I configured earlier. So I'm going to choose to enable it, renew any expired certificates, update certificates, that kind of thing. So if that certificate needs to be renewed and updated, it will go ahead and do it. And I'll click OK when done. Now I'll go to the automatic certificate request settings and right-click and choose New, Automatic Certificate Request. Click Next. I need to choose the computer option, which it's chosen by default, and click Finish. So now the computer certificate will get pushed out to that client when they want to get authenticated. Now, I need to choose the 802.11 policies option, and I'll right-click and choose to create a new wireless network policy for Windows Vista and later releases. So I'm going to call this NPS Policy. I can go ahead and remove the description and choose Add and choose an infrastructure type of configuration. And I'll once again call this NPS and I'll call it Profile, since it's a profile name. And I need to put in the SSID. So the SSID is AdvWIFI for advanced wifi. And I'll click Add. I don't need to have it connect to a more preferred network. I've only got the one. I do want it to connect automatically, however, when it's in range. Now, I'm going to click on Security and you've got the authentication option. And of course, I've chosen the WPA2 Enterprise. You can see there's multiple options. Now, this is Windows Server 2025, so it also includes the WPA3 Enterprise option as well if it's supported on your access point. The encryption is correct. The network authentication is also correct. However, I'm not choosing user authentication. This is just going to be computer authentication. That means only computers joined to the domain are going to be able to access this. So I'm going to click on the Properties button for my network authentication. Next, I'll check the box to connect to these servers, which is going to be my network policy server. And I know the name of the computer because it's in the upper left-hand corner. So I'll just go ahead and type that in. And next, I'll choose the name of the server. Sometimes if you see multiple ones, just choose the bottom one. That'll be the newest of the servers in the list. And there's nothing else to configure, so I'll go ahead and click OK. And now my group policy has been created. Now, this is all done on the server side. Next thing to do would be to go to the client side and restart the client computer so the policy gets applied, and then go ahead and try to connect to the network policy server using the Active Directory credentials. Back in my client, you can see the advanced Wifi is now connected and secured, and I should see an additional IP address when I open up my command prompt. I'll type in ipconfig /all and we should see that the Wifi has an IP address. And there it is. To confirm that your group policy has been applied, just type in gpresult /r and you have to be in as the administrator. And then scroll up to the computer group policy objects under the computer settings that you see here. And here you can see my network policy service group policy has applied. Radius Wifi on a Windows server does have a lot of moving parts, but once you've confirmed it's set up in a way that you have seen here, you should be able to authenticate using Active Directory using Enterprise Wifi.