00:00:00
hey there YouTube welcome to my channel
00:00:02
my name is Alex Hubbard I am a senior
00:00:04
systems administrator with over 15 years
00:00:06
of experience in the IT industry today
00:00:09
we're going to talk about setting up our
00:00:10
ubiquity unify controller to utilize
00:00:13
radius NPS and a certificate authority
00:00:17
within your Active Directory environment
00:00:20
so the first thing that we need to do is
00:00:22
we need to set all of the infrastructure
00:00:26
up for ubiquity to utilize now that we
00:00:29
are in our lab let's go to our domain
00:00:33
controller by clicking on console open
00:00:35
web console the first thing we need to
00:00:38
do is create a group to use for our
00:00:41
authentication so let's go to control
00:00:44
panel admin tools Active Directory users
00:00:50
and computers double click that and you
00:00:54
can go ahead and you know create your
00:00:57
groups wherever you store those I'm just
00:00:59
using the default area because this is
00:01:01
this is our lab so go ahead and right
00:01:04
click in the empty space click new group
00:01:08
and we're gonna call this lab radius off
00:01:13
group lab radius off we'll call it we'll
00:01:17
call it that try to be descriptive in
00:01:20
your names just because it helps
00:01:21
yourself when you come back six four
00:01:23
months from now or when you hand the
00:01:24
keys to the kingdom off to another
00:01:26
technician click OK double click this
00:01:29
group again put a description in this
00:01:33
group controls access to the Wi-Fi
00:01:40
something along that with radius all
00:01:44
right
00:01:45
apply that we're gonna come over to our
00:01:48
members tab here and we need to add our
00:01:51
laptop I have a laptop a physical laptop
00:01:53
here on the bench so that I can show you
00:01:55
how to you know how it works once we're
00:01:58
done configuring it we need to click
00:02:00
this Add button up here use this object
00:02:03
type you can see it says users service
00:02:05
accounts groups or other objects now
00:02:07
normally you would assign a group to a
00:02:09
user this is a little different because
00:02:11
we're assigning the group to
00:02:13
or assigning the computer account to the
00:02:15
group so we need to change object type
00:02:17
and we need to check off computers click
00:02:20
OK and I know the name of the laptop
00:02:23
that I have is lab - laptop right so
00:02:27
we'll put that in we'll do a check name
00:02:29
click OK boom we're good there what we
00:02:36
need to do now is come over to our
00:02:39
utility server which is let's see here I
00:02:44
don't see it in the list oh yeah it's
00:02:46
right there at the top so we'll click on
00:02:48
that we'll go to console and we'll open
00:02:50
that up and login to that and we need to
00:02:58
install three roles on this server so
00:03:01
open up your server manager dashboard
00:03:03
and click on add roles and features we
00:03:07
can go to next it'll be a role based and
00:03:09
or feature-based installation so click
00:03:11
Next there just pick your local server
00:03:14
next and there are three services that
00:03:19
we need to install on this machine and
00:03:23
that's Active Directory certificate
00:03:24
services click add features Network
00:03:29
policy and access services add features
00:03:32
and remote access
00:03:38
- click Next you can just accept those
00:03:42
features that's fine go ahead and click
00:03:45
Next
00:03:47
we'll just do the certificate authority
00:03:49
we don't need any of the extra stuff on
00:03:51
this particular service or feature same
00:03:55
thing with this guy we'll configure this
00:03:57
we'll come back after the fact and
00:03:59
configure most is stuff
00:04:01
this one will only check off direct
00:04:02
access and VPN it's going to ask you to
00:04:05
add these features that's fine next next
00:04:09
leave those alone for the iis web server
00:04:13
and we'll install now you can run the
00:04:20
certificate authority on your domain
00:04:21
controller I don't typically like to run
00:04:23
anything on my domain controller other
00:04:25
than the domain controller services so
00:04:28
that's why I have a utility server or
00:04:30
just a universal server that I use for
00:04:32
things like this I try to keep this type
00:04:36
of stuff off the domain controller while
00:04:38
this is installing let's jump over to
00:04:40
our firewall we will need to create a
00:04:43
couple of rules here so let's say let's
00:04:45
go to our control panel and Windows
00:04:51
Defender firewall we've got to go to
00:04:56
Advanced Settings let's create a new
00:05:01
inbound rule here so right click on it
00:05:04
go to new rule and we're gonna allow a
00:05:11
port so select port it's going to be a
00:05:15
UDP port and we're going to put there
00:05:18
are four port numbers there's 1812 1813
00:05:25
1645 and 1646 these are for allowing
00:05:32
communication to the radius server go
00:05:34
ahead and click Next
00:05:36
we'll allow the connection will check
00:05:41
uncheck public because we're not going
00:05:42
to use public next and we'll give it a
00:05:45
name allow
00:05:49
radius UDP ports through firewall
00:06:06
16:46 again give it a description
00:06:09
firewall the radius access click next or
00:06:18
finish rather and now you should see
00:06:23
your new your new rule up here we've now
00:06:29
got our CA roll and any of the rolls
00:06:33
installed that we needed on our utility
00:06:35
server you can see this little icon over
00:06:38
here it says you have notification so
00:06:41
we'll click that and we have
00:06:43
post-deployment configuration for our
00:06:46
Active Directory certificate services so
00:06:48
let's click on configure and this should
00:06:51
open up the control panel the
00:06:53
configuration wizard for our certificate
00:06:55
authority give it a second here I am NOT
00:07:01
going to this is lab so I'm just going
00:07:03
to use my default admin account if you
00:07:05
are doing this in a production
00:07:06
environment it's probably a wise idea to
00:07:09
have a specific account for this so
00:07:11
click Next this is the only role we have
00:07:15
here is certificate authority so check
00:07:17
that off give it a second and we're
00:07:21
going to click Next we want to pick
00:07:23
enterprise CA since we have a domain if
00:07:27
you were doing this without a domain you
00:07:29
could pick standalone CA you know either
00:07:32
either will work but we're doing it with
00:07:34
a domain so we're gonna pick enterprise
00:07:36
CA we're going to do the root CA since
00:07:41
this is the only certificate authority
00:07:43
in the environment click Next we want to
00:07:47
create a new private key and you'll want
00:07:48
to jot this down because we're going to
00:07:50
need this when we set up unify you can
00:07:54
pick the you know select all it defaults
00:07:57
here that's fine if you want to tweak
00:07:59
these you can do that as well
00:08:01
I'll leave the default name click Next
00:08:07
I do 10 years that's fine that way we
00:08:10
don't have to worry about it this is lab
00:08:11
of just machine won't be around for 10
00:08:14
years so you can set it to whatever you
00:08:16
want click Next
00:08:17
again leave the default locations and
00:08:23
just double-check all your information
00:08:25
and click configure it's going to run
00:08:28
through once we do this yep okay so it's
00:08:31
succeeded successfully close that to
00:08:35
configure the network policy server we
00:08:39
need to go into control panel admin
00:08:41
tools and come down here to this network
00:08:43
policy server we'll double click that
00:08:48
make this big so you guys can see it
00:08:53
first thing we need to do is
00:08:55
authenticate this in Active Directory so
00:08:57
right click NPS local register server
00:08:59
and Active Directory click that yep
00:09:04
that's fine click OK it's now authorized
00:09:07
we're good once we've authenticated our
00:09:11
NPS server against or in Active
00:09:13
Directory we need to come over to this
00:09:15
standard configuration box here and pull
00:09:18
this drop down and we want to select
00:09:21
radius server for 8:02 1x wireless or
00:09:24
wired connections once we've selected
00:09:27
that we'll configure it so click this
00:09:29
configure button down here at the bottom
00:09:31
select the first radio button here
00:09:34
secure wireless connections I'm going to
00:09:36
roll with the default name for now here
00:09:40
is where we want to add our access
00:09:42
points so click the Add button I only
00:09:44
have one in the lab so we'll call it lab
00:09:48
you a p1 IP is 10 10.1 o3
00:09:58
and we want to give it a shared secret
00:10:01
we'll create our own remember what you
00:10:07
made it because you'll need it for unify
00:10:09
in a minute click OK and there we go now
00:10:15
we've added our access point to the
00:10:19
authentication server the network Paul
00:10:21
network NPS server click Next
00:10:24
we're gonna pull this down here and we
00:10:27
are going to select protected EAP or
00:10:29
peep click Next now we want at that
00:10:34
group we created earlier this is where
00:10:36
we want to add that so we can go or did
00:10:40
I call it I think I called it lab radius
00:10:44
let's do a check name and it should pull
00:10:47
there we go lab radius off so pull that
00:10:50
click Next we're not going to do
00:10:54
anything with traffic control so click
00:10:56
Next and we are done so now we've just
00:11:02
configured our NPS role now it should
00:11:05
have created this so under policies if
00:11:07
you go to network policies it should
00:11:09
have created a secure wireless
00:11:10
connections policy we're going to double
00:11:12
click this and this is where we want to
00:11:16
go to the conditions tab and you can see
00:11:19
that it has added our windows group here
00:11:22
lab radius authentication so click OK
00:11:25
just verify that that's good alright one
00:11:30
of the final steps that we have to do
00:11:32
here is we need to come over to our
00:11:33
domain controller lab DCO one let's open
00:11:36
up the console here and we'll go to oops
00:11:45
so keys control-alt-delete let's login
00:11:49
we need to create a GPO for the computer
00:11:55
let's go into our group policy
00:11:57
management console here double click
00:11:59
this you can see my ΓΆyou this is where
00:12:04
my lab computers are so my physical
00:12:06
laptop is in this group we're going to
00:12:09
right click create a GPO I'm gonna call
00:12:12
it lab radius off GPO now we've got the
00:12:26
GPO created let's go ahead and edit it
00:12:36
now we want to come down to the security
00:12:38
filtering piece here and we want to add
00:12:41
our authentication group so lab radius
00:12:46
will do a check name so we'll put that
00:12:52
there perfect
00:12:54
and since this is a computer
00:12:58
configuration policy when we go to edit
00:13:00
it so right click on it edit we need to
00:13:03
go to the computer configuration portion
00:13:05
of it make this big so you can see we're
00:13:11
going to go our down here on policies
00:13:13
windows settings
00:13:20
security settings and we want to go to
00:13:26
public key policies it's kind of buried
00:13:28
in here so click on public key policies
00:13:30
there are two in here that we're going
00:13:32
to work on there's this automatic
00:13:33
certificate request settings and
00:13:35
certificate services client auto
00:13:37
enrolment let's do the auto enrolment
00:13:39
first so double click on that and we
00:13:41
want to change the configuration model
00:13:43
to enable or enabled and we'll check off
00:13:46
these two checkboxes here and click
00:13:48
apply click OK now come up here to
00:13:52
automatic certificate request settings
00:13:54
and we're going to create a new request
00:13:55
so right click in the empty space new
00:13:58
automatic certificate request we will
00:14:06
choose computer and finish so there we
00:14:10
go now we've set up the infrastructure
00:14:13
in our domain to be able to support
00:14:15
radius authentication in our unify
00:14:17
server what we need to do now is jump
00:14:20
over to our lab our physical laptop here
00:14:22
and let's get let's make sure that the
00:14:26
group policy is on this machine so let's
00:14:31
go to command and we will do a GP update
00:14:36
space forward slash force and this will
00:14:39
pull down this will pull this will tell
00:14:41
the computer to go out to the domain
00:14:42
controller and pull down any of the
00:14:44
latest policies now a computer policy
00:14:47
doesn't come down or doesn't take effect
00:14:50
until you reboot so we'll have to reboot
00:14:52
this machine in order to get the policy
00:14:54
down so go ahead let's do a shutdown - R
00:15:02
- t - 0 so this will reboot it right now
00:15:08
and we'll come back once it's rebooted
00:15:11
and verify that the policy is now on a
00:15:13
machine our lab laptop has rebooted
00:15:16
let's open up a command prompt again and
00:15:20
we'll do this time we'll do a GP result
00:15:22
space /r which will show you all the GPO
00:15:25
is applied to this machine and then it
00:15:28
goes quick so you've got to pay
00:15:29
attention here we'll scroll up
00:15:33
and you should see two policies yep lab
00:15:37
radius authentication GPO and the
00:15:39
default domain policy we've configured
00:15:46
our infrastructure within our domain we
00:15:49
have verified that the GPO is now on our
00:15:52
lab laptop the last piece of this puzzle
00:15:54
is to go into our unified controller and
00:15:57
configure unify to allow radius
00:16:00
authentication let's go to our unify
00:16:03
server here lab unify o1 open up the
00:16:07
console and we're gonna type in our
00:16:11
password so I'm already in our
00:16:20
controller here we'll come down to
00:16:27
settings and this is site-specific so if
00:16:31
you have multiple sites you have to do
00:16:32
it for each site and we want to go to
00:16:35
profiles and create a new radius profile
00:16:41
so we'll call this lab radius and here
00:16:48
we have to add the IP address of our
00:16:51
utility server so let's I gotta remember
00:16:54
what that is okay 10.10.5.3
00:17:14
and change the two ports and this is
00:17:17
where we are going to need to remember
00:17:20
our shared secret we also enable
00:17:26
authentication
00:17:27
excuse me accounting so it's on the same
00:17:30
server and this will be 16 oops 45 this
00:17:48
will be 16 46 and again the same secret
00:17:59
cool so click Save now we've just
00:18:05
created this profile let's go over to
00:18:07
our wireless networks and I've already
00:18:09
got an SSID set up so we'll click Edit
00:18:16
and we need to do WPA enterprise so now
00:18:22
that key goes away and we've got to pull
00:18:25
our profile here so lab radius and we'll
00:18:31
click Save
00:18:36
cool so now we should be able to come
00:18:38
back over to our lab laptop here and
00:18:44
let's check this out I'm gonna
00:18:46
disconnect to my Ethernet cable from it
00:18:49
I will do a ping to verify that I am not
00:18:57
connected to anything
00:18:58
oops where did we grab here oh alright
00:19:03
it just connected to my internal Wi-Fi
00:19:05
which is not what we wanted
00:19:06
so let's disconnect that make sure we're
00:19:09
not connected cool now this may take a
00:19:12
minute to get a certificate for our
00:19:15
request a certificate from the
00:19:17
certification authority server on our
00:19:20
utility server first I was running into
00:19:23
it was not connecting so this is what
00:19:26
you should see so we'll click the
00:19:28
connect button and it should connect and
00:19:31
we should get an IP address there we go
00:19:33
cool we're connected so let's go IP
00:19:35
config there we go 10.10 30 dot 104 it's
00:19:39
ping let's ping out to the Internet and
00:19:43
there we go well guys I hope you enjoyed
00:19:46
this video this one's probably one of
00:19:48
the longer ones that I've done on the
00:19:51
channel and there's quite a bit of
00:19:53
moving parts to it I've not found this
00:19:56
is kind of a mesh of multiple different
00:19:58
guides that I have found and I use this
00:20:01
in my enterprise environment and I
00:20:03
wanted to pass along this information
00:20:05
because it gives you a lot more control
00:20:08
over access to your wireless environment
00:20:10
should you be using ubiquity you know so
00:20:15
there's a little bit of a complicated
00:20:16
process to get it set it set up and
00:20:18
running but it works very very well and
00:20:21
you don't have to give people passwords
00:20:23
and you can revoke access etc so if you
00:20:26
like this video please like and
00:20:27
subscribe below if there's something you
00:20:29
want to know or something you want to
00:20:30
see let me know I'm always looking for
00:20:31
ideas for the channel otherwise thank
00:20:34
you very much for watching and stay
00:20:36
tuned for more IT related videos
