This setup requires knowledge of Wireless Access Points administration, 802.1x protocol authentication, Radius server roles, Microsoft Network Policy Server configuration, usage, and administration.
There are two main sections: Wireless configuration and Microsoft Network Policy Server setup.
Whether we use a standalone infrastructure based on unique access points or a centralized and managed access points, the infrastructure can be configured to allow users connecting a unique SSID to reside in different WLANs. This setup makes the access points aware of the particularities that the NPS server sends when authentication takes place.
For this setup the below requirements are necessary:
- Wireless infrastructure must support Dynamic WLAN
- Wireless infrastructure must support WPA2 Enterprise
By enabling dynamic WLAN the radius clients look for other directives sent by the Radius server. For example: Wlan ID sent by the radius server delivers the ID to the client’s device.
From the wireless configuration point of view, the setup is simple. Make sure the Network policy server is present on the access points or controller and the unit is able to query the NPS. You can verify the NPS queries in Event viewer on the NPS server.
Network Policy Server
Windows Network Policy Server supports more than just authenticating users. Each rule can be individually configured to send to the radius client (access point or controller) the WLAN id based on the rule it matches.
The client authenticates using Active Directory credentials. Assuming the credentials match the ones stored in Active Directory, the NPS server takes action based on the policy conditions.
There are many other settings available, but we’ll stick to the ones we need in order to authenticate and push the correct WLAN to the client.
Network policy server example of the policy rule that matches a certain WLAN:
As shown above, if the policy conditions are met NPS server proceeds to pushing Tunnel-Type = VLAN, Tunnel-Medium-Type = 802 .1x (the one we’re interested for) and Framed-Interface-Id = (VLAN id) to the Radius client (Zone Director in our case). These settings complete other matching criteria and rules for this NPS policy. The result is completely transparent to the supplicant (the end user).
This setup was tested using Ruckus wireless infrastructure with Zone Director 3000 and Windows 2016 network policy server.
For more information about configuring a Ruckus Wireless Zone Director and Microsoft NPS server, follow the links below:
Latest posts by Razvan
- Wireless Dynamic Wlan based on Microsoft NPS Server Policies - April 5, 2018