Configure Windows Server 2019 for Ubiquiti UniFi RADIUS Authentication

00:20:39
https://www.youtube.com/watch?v=QKVBite1p3E

概要

TLDRIn this detailed tutorial, Alex Hubbard shares his expertise in setting up a Ubiquity UniFi controller with RADIUS NPS and a certificate authority within an Active Directory environment. He begins by creating an authentication group in Active Directory, followed by configuring roles on a utility server required for certificate services and network policy. Alex explains the creation of firewall rules for RADIUS communication, making sure the various components are correctly set up before moving onto configuring the Network Policy Server (NPS) to authorize access requests. He emphasizes the importance of a proper setup for secure wireless connections and concludes the tutorial by verifying functionality through a hands-on connection test with a lab laptop, stressing the controls enabled by this method in managing wireless access.

収穫

  • 💻 Setup involves creating an authentication group in Active Directory.
  • 🔧 Install roles like Active Directory Certificate Services and NPS on a utility server.
  • 🛡️ Configure firewall rules to allow RADIUS communication ports.
  • 🔐 Establish secure wireless connections using the NPS settings.
  • 📜 Verify Group Policy application on client devices after reboot.
  • 🧩 RADIUS authentication enhances control over wireless network access.
  • 📈 This method eliminates the need for shared passwords.
  • 🏗️ A comprehensive process is required for successful configuration.
  • 🥇 Alex shares personal insights from enterprise-level experience.
  • 💬 Viewers are encouraged to engage for further content ideas.

タイムライン

  • 00:00:00 - 00:05:00

    Alex Hubbard introduces himself as a senior systems administrator and outlines the focus of the video, which is setting up a Ubiquity Unify Controller using RADIUS, NPS, and a certificate authority within an Active Directory environment. He starts by accessing the domain controller to create a group for authentication and emphasizes the importance of using descriptive names for better management in the future.

  • 00:05:00 - 00:10:00

    The process continues by setting up a utility server where necessary roles and features are installed, including Active Directory Certificate Services, Network Policy and Access Services, and Remote Access. Alex explains how to configure firewall rules to allow communication with the RADIUS server, emphasizing the ports to be opened for successful communication.

  • 00:10:00 - 00:15:00

    Alex moves on to configure the Active Directory Certificate Services after the necessary roles are installed. He explains the setup of a Network Policy Server (NPS) by registering it in Active Directory and setting up conditions for secure wireless connections. He also guides viewers through adding an access point and configuring it with a shared secret, along with the group previously created for authentication purposes.

  • 00:15:00 - 00:20:39

    Finally, Alex shows how to verify that Group Policy Objects (GPO) are applied to the lab laptop and how to set up the Ubiquity Unify Controller to allow RADIUS authentication. He explains the connection process from the lab laptop to the RADIUS server and concludes with the importance of the guide for managing wireless access, as well as encouraging viewers to engage with the channel for more IT-related content.

もっと見る

マインドマップ

ビデオQ&A

  • Who is Alex Hubbard?

    Alex Hubbard is a senior systems administrator with over 15 years of experience in the IT industry.

  • What does this video tutorial cover?

    The tutorial covers setting up a Ubiquity UniFi controller with RADIUS NPS and a certificate authority in an Active Directory environment.

  • What are the main steps in the setup process?

    The setup process includes creating a group for authentication, installing necessary roles, configuring the network policy server, and establishing firewall settings.

  • What is the purpose of using RADIUS authentication?

    Using RADIUS authentication allows for better control of access to wireless networks, eliminating the need for shared passwords.

  • How can I test the configuration?

    You can test the configuration by connecting a lab laptop to the network and verifying the connection and IP address.

ビデオをもっと見る

AIを活用したYouTubeの無料動画要約に即アクセス!
字幕
en
オートスクロール:
  • 00:00:00
    hey there YouTube welcome to my channel
  • 00:00:02
    my name is Alex Hubbard I am a senior
  • 00:00:04
    systems administrator with over 15 years
  • 00:00:06
    of experience in the IT industry today
  • 00:00:09
    we're going to talk about setting up our
  • 00:00:10
    ubiquity unify controller to utilize
  • 00:00:13
    radius NPS and a certificate authority
  • 00:00:17
    within your Active Directory environment
  • 00:00:20
    so the first thing that we need to do is
  • 00:00:22
    we need to set all of the infrastructure
  • 00:00:26
    up for ubiquity to utilize now that we
  • 00:00:29
    are in our lab let's go to our domain
  • 00:00:33
    controller by clicking on console open
  • 00:00:35
    web console the first thing we need to
  • 00:00:38
    do is create a group to use for our
  • 00:00:41
    authentication so let's go to control
  • 00:00:44
    panel admin tools Active Directory users
  • 00:00:50
    and computers double click that and you
  • 00:00:54
    can go ahead and you know create your
  • 00:00:57
    groups wherever you store those I'm just
  • 00:00:59
    using the default area because this is
  • 00:01:01
    this is our lab so go ahead and right
  • 00:01:04
    click in the empty space click new group
  • 00:01:08
    and we're gonna call this lab radius off
  • 00:01:13
    group lab radius off we'll call it we'll
  • 00:01:17
    call it that try to be descriptive in
  • 00:01:20
    your names just because it helps
  • 00:01:21
    yourself when you come back six four
  • 00:01:23
    months from now or when you hand the
  • 00:01:24
    keys to the kingdom off to another
  • 00:01:26
    technician click OK double click this
  • 00:01:29
    group again put a description in this
  • 00:01:33
    group controls access to the Wi-Fi
  • 00:01:40
    something along that with radius all
  • 00:01:44
    right
  • 00:01:45
    apply that we're gonna come over to our
  • 00:01:48
    members tab here and we need to add our
  • 00:01:51
    laptop I have a laptop a physical laptop
  • 00:01:53
    here on the bench so that I can show you
  • 00:01:55
    how to you know how it works once we're
  • 00:01:58
    done configuring it we need to click
  • 00:02:00
    this Add button up here use this object
  • 00:02:03
    type you can see it says users service
  • 00:02:05
    accounts groups or other objects now
  • 00:02:07
    normally you would assign a group to a
  • 00:02:09
    user this is a little different because
  • 00:02:11
    we're assigning the group to
  • 00:02:13
    or assigning the computer account to the
  • 00:02:15
    group so we need to change object type
  • 00:02:17
    and we need to check off computers click
  • 00:02:20
    OK and I know the name of the laptop
  • 00:02:23
    that I have is lab - laptop right so
  • 00:02:27
    we'll put that in we'll do a check name
  • 00:02:29
    click OK boom we're good there what we
  • 00:02:36
    need to do now is come over to our
  • 00:02:39
    utility server which is let's see here I
  • 00:02:44
    don't see it in the list oh yeah it's
  • 00:02:46
    right there at the top so we'll click on
  • 00:02:48
    that we'll go to console and we'll open
  • 00:02:50
    that up and login to that and we need to
  • 00:02:58
    install three roles on this server so
  • 00:03:01
    open up your server manager dashboard
  • 00:03:03
    and click on add roles and features we
  • 00:03:07
    can go to next it'll be a role based and
  • 00:03:09
    or feature-based installation so click
  • 00:03:11
    Next there just pick your local server
  • 00:03:14
    next and there are three services that
  • 00:03:19
    we need to install on this machine and
  • 00:03:23
    that's Active Directory certificate
  • 00:03:24
    services click add features Network
  • 00:03:29
    policy and access services add features
  • 00:03:32
    and remote access
  • 00:03:38
    - click Next you can just accept those
  • 00:03:42
    features that's fine go ahead and click
  • 00:03:45
    Next
  • 00:03:47
    we'll just do the certificate authority
  • 00:03:49
    we don't need any of the extra stuff on
  • 00:03:51
    this particular service or feature same
  • 00:03:55
    thing with this guy we'll configure this
  • 00:03:57
    we'll come back after the fact and
  • 00:03:59
    configure most is stuff
  • 00:04:01
    this one will only check off direct
  • 00:04:02
    access and VPN it's going to ask you to
  • 00:04:05
    add these features that's fine next next
  • 00:04:09
    leave those alone for the iis web server
  • 00:04:13
    and we'll install now you can run the
  • 00:04:20
    certificate authority on your domain
  • 00:04:21
    controller I don't typically like to run
  • 00:04:23
    anything on my domain controller other
  • 00:04:25
    than the domain controller services so
  • 00:04:28
    that's why I have a utility server or
  • 00:04:30
    just a universal server that I use for
  • 00:04:32
    things like this I try to keep this type
  • 00:04:36
    of stuff off the domain controller while
  • 00:04:38
    this is installing let's jump over to
  • 00:04:40
    our firewall we will need to create a
  • 00:04:43
    couple of rules here so let's say let's
  • 00:04:45
    go to our control panel and Windows
  • 00:04:51
    Defender firewall we've got to go to
  • 00:04:56
    Advanced Settings let's create a new
  • 00:05:01
    inbound rule here so right click on it
  • 00:05:04
    go to new rule and we're gonna allow a
  • 00:05:11
    port so select port it's going to be a
  • 00:05:15
    UDP port and we're going to put there
  • 00:05:18
    are four port numbers there's 1812 1813
  • 00:05:25
    1645 and 1646 these are for allowing
  • 00:05:32
    communication to the radius server go
  • 00:05:34
    ahead and click Next
  • 00:05:36
    we'll allow the connection will check
  • 00:05:41
    uncheck public because we're not going
  • 00:05:42
    to use public next and we'll give it a
  • 00:05:45
    name allow
  • 00:05:49
    radius UDP ports through firewall
  • 00:06:06
    16:46 again give it a description
  • 00:06:09
    firewall the radius access click next or
  • 00:06:18
    finish rather and now you should see
  • 00:06:23
    your new your new rule up here we've now
  • 00:06:29
    got our CA roll and any of the rolls
  • 00:06:33
    installed that we needed on our utility
  • 00:06:35
    server you can see this little icon over
  • 00:06:38
    here it says you have notification so
  • 00:06:41
    we'll click that and we have
  • 00:06:43
    post-deployment configuration for our
  • 00:06:46
    Active Directory certificate services so
  • 00:06:48
    let's click on configure and this should
  • 00:06:51
    open up the control panel the
  • 00:06:53
    configuration wizard for our certificate
  • 00:06:55
    authority give it a second here I am NOT
  • 00:07:01
    going to this is lab so I'm just going
  • 00:07:03
    to use my default admin account if you
  • 00:07:05
    are doing this in a production
  • 00:07:06
    environment it's probably a wise idea to
  • 00:07:09
    have a specific account for this so
  • 00:07:11
    click Next this is the only role we have
  • 00:07:15
    here is certificate authority so check
  • 00:07:17
    that off give it a second and we're
  • 00:07:21
    going to click Next we want to pick
  • 00:07:23
    enterprise CA since we have a domain if
  • 00:07:27
    you were doing this without a domain you
  • 00:07:29
    could pick standalone CA you know either
  • 00:07:32
    either will work but we're doing it with
  • 00:07:34
    a domain so we're gonna pick enterprise
  • 00:07:36
    CA we're going to do the root CA since
  • 00:07:41
    this is the only certificate authority
  • 00:07:43
    in the environment click Next we want to
  • 00:07:47
    create a new private key and you'll want
  • 00:07:48
    to jot this down because we're going to
  • 00:07:50
    need this when we set up unify you can
  • 00:07:54
    pick the you know select all it defaults
  • 00:07:57
    here that's fine if you want to tweak
  • 00:07:59
    these you can do that as well
  • 00:08:01
    I'll leave the default name click Next
  • 00:08:07
    I do 10 years that's fine that way we
  • 00:08:10
    don't have to worry about it this is lab
  • 00:08:11
    of just machine won't be around for 10
  • 00:08:14
    years so you can set it to whatever you
  • 00:08:16
    want click Next
  • 00:08:17
    again leave the default locations and
  • 00:08:23
    just double-check all your information
  • 00:08:25
    and click configure it's going to run
  • 00:08:28
    through once we do this yep okay so it's
  • 00:08:31
    succeeded successfully close that to
  • 00:08:35
    configure the network policy server we
  • 00:08:39
    need to go into control panel admin
  • 00:08:41
    tools and come down here to this network
  • 00:08:43
    policy server we'll double click that
  • 00:08:48
    make this big so you guys can see it
  • 00:08:53
    first thing we need to do is
  • 00:08:55
    authenticate this in Active Directory so
  • 00:08:57
    right click NPS local register server
  • 00:08:59
    and Active Directory click that yep
  • 00:09:04
    that's fine click OK it's now authorized
  • 00:09:07
    we're good once we've authenticated our
  • 00:09:11
    NPS server against or in Active
  • 00:09:13
    Directory we need to come over to this
  • 00:09:15
    standard configuration box here and pull
  • 00:09:18
    this drop down and we want to select
  • 00:09:21
    radius server for 8:02 1x wireless or
  • 00:09:24
    wired connections once we've selected
  • 00:09:27
    that we'll configure it so click this
  • 00:09:29
    configure button down here at the bottom
  • 00:09:31
    select the first radio button here
  • 00:09:34
    secure wireless connections I'm going to
  • 00:09:36
    roll with the default name for now here
  • 00:09:40
    is where we want to add our access
  • 00:09:42
    points so click the Add button I only
  • 00:09:44
    have one in the lab so we'll call it lab
  • 00:09:48
    you a p1 IP is 10 10.1 o3
  • 00:09:58
    and we want to give it a shared secret
  • 00:10:01
    we'll create our own remember what you
  • 00:10:07
    made it because you'll need it for unify
  • 00:10:09
    in a minute click OK and there we go now
  • 00:10:15
    we've added our access point to the
  • 00:10:19
    authentication server the network Paul
  • 00:10:21
    network NPS server click Next
  • 00:10:24
    we're gonna pull this down here and we
  • 00:10:27
    are going to select protected EAP or
  • 00:10:29
    peep click Next now we want at that
  • 00:10:34
    group we created earlier this is where
  • 00:10:36
    we want to add that so we can go or did
  • 00:10:40
    I call it I think I called it lab radius
  • 00:10:44
    let's do a check name and it should pull
  • 00:10:47
    there we go lab radius off so pull that
  • 00:10:50
    click Next we're not going to do
  • 00:10:54
    anything with traffic control so click
  • 00:10:56
    Next and we are done so now we've just
  • 00:11:02
    configured our NPS role now it should
  • 00:11:05
    have created this so under policies if
  • 00:11:07
    you go to network policies it should
  • 00:11:09
    have created a secure wireless
  • 00:11:10
    connections policy we're going to double
  • 00:11:12
    click this and this is where we want to
  • 00:11:16
    go to the conditions tab and you can see
  • 00:11:19
    that it has added our windows group here
  • 00:11:22
    lab radius authentication so click OK
  • 00:11:25
    just verify that that's good alright one
  • 00:11:30
    of the final steps that we have to do
  • 00:11:32
    here is we need to come over to our
  • 00:11:33
    domain controller lab DCO one let's open
  • 00:11:36
    up the console here and we'll go to oops
  • 00:11:45
    so keys control-alt-delete let's login
  • 00:11:49
    we need to create a GPO for the computer
  • 00:11:55
    let's go into our group policy
  • 00:11:57
    management console here double click
  • 00:11:59
    this you can see my öyou this is where
  • 00:12:04
    my lab computers are so my physical
  • 00:12:06
    laptop is in this group we're going to
  • 00:12:09
    right click create a GPO I'm gonna call
  • 00:12:12
    it lab radius off GPO now we've got the
  • 00:12:26
    GPO created let's go ahead and edit it
  • 00:12:36
    now we want to come down to the security
  • 00:12:38
    filtering piece here and we want to add
  • 00:12:41
    our authentication group so lab radius
  • 00:12:46
    will do a check name so we'll put that
  • 00:12:52
    there perfect
  • 00:12:54
    and since this is a computer
  • 00:12:58
    configuration policy when we go to edit
  • 00:13:00
    it so right click on it edit we need to
  • 00:13:03
    go to the computer configuration portion
  • 00:13:05
    of it make this big so you can see we're
  • 00:13:11
    going to go our down here on policies
  • 00:13:13
    windows settings
  • 00:13:20
    security settings and we want to go to
  • 00:13:26
    public key policies it's kind of buried
  • 00:13:28
    in here so click on public key policies
  • 00:13:30
    there are two in here that we're going
  • 00:13:32
    to work on there's this automatic
  • 00:13:33
    certificate request settings and
  • 00:13:35
    certificate services client auto
  • 00:13:37
    enrolment let's do the auto enrolment
  • 00:13:39
    first so double click on that and we
  • 00:13:41
    want to change the configuration model
  • 00:13:43
    to enable or enabled and we'll check off
  • 00:13:46
    these two checkboxes here and click
  • 00:13:48
    apply click OK now come up here to
  • 00:13:52
    automatic certificate request settings
  • 00:13:54
    and we're going to create a new request
  • 00:13:55
    so right click in the empty space new
  • 00:13:58
    automatic certificate request we will
  • 00:14:06
    choose computer and finish so there we
  • 00:14:10
    go now we've set up the infrastructure
  • 00:14:13
    in our domain to be able to support
  • 00:14:15
    radius authentication in our unify
  • 00:14:17
    server what we need to do now is jump
  • 00:14:20
    over to our lab our physical laptop here
  • 00:14:22
    and let's get let's make sure that the
  • 00:14:26
    group policy is on this machine so let's
  • 00:14:31
    go to command and we will do a GP update
  • 00:14:36
    space forward slash force and this will
  • 00:14:39
    pull down this will pull this will tell
  • 00:14:41
    the computer to go out to the domain
  • 00:14:42
    controller and pull down any of the
  • 00:14:44
    latest policies now a computer policy
  • 00:14:47
    doesn't come down or doesn't take effect
  • 00:14:50
    until you reboot so we'll have to reboot
  • 00:14:52
    this machine in order to get the policy
  • 00:14:54
    down so go ahead let's do a shutdown - R
  • 00:15:02
    - t - 0 so this will reboot it right now
  • 00:15:08
    and we'll come back once it's rebooted
  • 00:15:11
    and verify that the policy is now on a
  • 00:15:13
    machine our lab laptop has rebooted
  • 00:15:16
    let's open up a command prompt again and
  • 00:15:20
    we'll do this time we'll do a GP result
  • 00:15:22
    space /r which will show you all the GPO
  • 00:15:25
    is applied to this machine and then it
  • 00:15:28
    goes quick so you've got to pay
  • 00:15:29
    attention here we'll scroll up
  • 00:15:33
    and you should see two policies yep lab
  • 00:15:37
    radius authentication GPO and the
  • 00:15:39
    default domain policy we've configured
  • 00:15:46
    our infrastructure within our domain we
  • 00:15:49
    have verified that the GPO is now on our
  • 00:15:52
    lab laptop the last piece of this puzzle
  • 00:15:54
    is to go into our unified controller and
  • 00:15:57
    configure unify to allow radius
  • 00:16:00
    authentication let's go to our unify
  • 00:16:03
    server here lab unify o1 open up the
  • 00:16:07
    console and we're gonna type in our
  • 00:16:11
    password so I'm already in our
  • 00:16:20
    controller here we'll come down to
  • 00:16:27
    settings and this is site-specific so if
  • 00:16:31
    you have multiple sites you have to do
  • 00:16:32
    it for each site and we want to go to
  • 00:16:35
    profiles and create a new radius profile
  • 00:16:41
    so we'll call this lab radius and here
  • 00:16:48
    we have to add the IP address of our
  • 00:16:51
    utility server so let's I gotta remember
  • 00:16:54
    what that is okay 10.10.5.3
  • 00:17:14
    and change the two ports and this is
  • 00:17:17
    where we are going to need to remember
  • 00:17:20
    our shared secret we also enable
  • 00:17:26
    authentication
  • 00:17:27
    excuse me accounting so it's on the same
  • 00:17:30
    server and this will be 16 oops 45 this
  • 00:17:48
    will be 16 46 and again the same secret
  • 00:17:59
    cool so click Save now we've just
  • 00:18:05
    created this profile let's go over to
  • 00:18:07
    our wireless networks and I've already
  • 00:18:09
    got an SSID set up so we'll click Edit
  • 00:18:16
    and we need to do WPA enterprise so now
  • 00:18:22
    that key goes away and we've got to pull
  • 00:18:25
    our profile here so lab radius and we'll
  • 00:18:31
    click Save
  • 00:18:36
    cool so now we should be able to come
  • 00:18:38
    back over to our lab laptop here and
  • 00:18:44
    let's check this out I'm gonna
  • 00:18:46
    disconnect to my Ethernet cable from it
  • 00:18:49
    I will do a ping to verify that I am not
  • 00:18:57
    connected to anything
  • 00:18:58
    oops where did we grab here oh alright
  • 00:19:03
    it just connected to my internal Wi-Fi
  • 00:19:05
    which is not what we wanted
  • 00:19:06
    so let's disconnect that make sure we're
  • 00:19:09
    not connected cool now this may take a
  • 00:19:12
    minute to get a certificate for our
  • 00:19:15
    request a certificate from the
  • 00:19:17
    certification authority server on our
  • 00:19:20
    utility server first I was running into
  • 00:19:23
    it was not connecting so this is what
  • 00:19:26
    you should see so we'll click the
  • 00:19:28
    connect button and it should connect and
  • 00:19:31
    we should get an IP address there we go
  • 00:19:33
    cool we're connected so let's go IP
  • 00:19:35
    config there we go 10.10 30 dot 104 it's
  • 00:19:39
    ping let's ping out to the Internet and
  • 00:19:43
    there we go well guys I hope you enjoyed
  • 00:19:46
    this video this one's probably one of
  • 00:19:48
    the longer ones that I've done on the
  • 00:19:51
    channel and there's quite a bit of
  • 00:19:53
    moving parts to it I've not found this
  • 00:19:56
    is kind of a mesh of multiple different
  • 00:19:58
    guides that I have found and I use this
  • 00:20:01
    in my enterprise environment and I
  • 00:20:03
    wanted to pass along this information
  • 00:20:05
    because it gives you a lot more control
  • 00:20:08
    over access to your wireless environment
  • 00:20:10
    should you be using ubiquity you know so
  • 00:20:15
    there's a little bit of a complicated
  • 00:20:16
    process to get it set it set up and
  • 00:20:18
    running but it works very very well and
  • 00:20:21
    you don't have to give people passwords
  • 00:20:23
    and you can revoke access etc so if you
  • 00:20:26
    like this video please like and
  • 00:20:27
    subscribe below if there's something you
  • 00:20:29
    want to know or something you want to
  • 00:20:30
    see let me know I'm always looking for
  • 00:20:31
    ideas for the channel otherwise thank
  • 00:20:34
    you very much for watching and stay
  • 00:20:36
    tuned for more IT related videos
タグ
  • Ubiquity
  • UniFi
  • RADIUS
  • NPS
  • Active Directory
  • Certificate Authority
  • Network Policy Server
  • IT Tutorial
  • Wireless Security
  • Systems Administration