This article explains how to configure SmartPass server with a Windows 2008 NPS server to allow SmartPass administrators and provisioning users to log into the SmartPass server via an external RADIUS server.  The instructions that follow assume there is a working Windows Active Directory environment and Windows 2008 server in place and that you have a working knowledge of both.

Example environment used:

• Windows 2003 AD with Windows 2008 NPS on separate machines in the same domain. 
• SmartPass was installed on a separate Windows 2008 server.

 

Configuration from the controller:

set service-profile test-web ssid-name TAC-test
set service-profile test-web ssid-type clear
set service-profile test-web auth-fallthru web-portal
set service-profile test-web psk-encrypted <pass>
set service-profile test-web web-portal-form https://10.9.221.250:443/gp2/webportal/ext/webPortalAuthLogin
set service-profile test-web web-portal-acl testacl
set service-profile test-web rsn-ie auth-psk enable
set service-profile test-web attr vlan-name default 
set security acl name testacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
set security acl name testacl permit ip 0.0.0.0 255.255.255.255 10.9.221.250 0.0.0.0
set security acl name testacl deny 0.0.0.0 255.255.255.255 capture 
set radius server smartpass address 10.9.221.250 auth-port 1818 timeout 5 retransmit 3 deadtime 0 encrypted-key <pass>
set server group smartpass-grp members smartpass
set radius dac smartpass address 10.9.221.250 replay-protect disable encrypted-key 0119130a521b031d701e1d
set authentication web ssid TAC-test ** smartpass-grp
set authorization dynamic ssid TAC-test smartpass

1. Create User Groups in AD for both SmartPass Administrators and Provisioning Users

   1. Go to Active Directory Users and Computers
   2. Select your domain
   3. Go to Users
   4. Right Click Users
   5. Select New > Group
   6. Give your User Group a name (Example: SP-Admins and SP-Provisioning)
   7. Add existing users or create new users and add to the respective group. (Note: Verify the user has "Allow access" selected for Remote Access Permissions.  This is found under the Dial-in Tab of the User Properties (Example: User name Smartpass Admin)
      
      

2. Modify your SmartPass Server

   

   

   

   

   1. Log into your SmartPass Server as Admin.
   2. Go to Setup and select Radius Servers Management
   3. Under Radius Servers, click Add
   4. Enter the Name and IP Address of your NPS Server along with the Shared Secret.  (NOTE:  Make a note of the Shared Secret.  You will need it later when configuring the NPS Server.) 
   5. Click Save
   6. Under Radius Server Groups, click Add
   7. Enter a name for your Server Group, click Next 
   8. Under Available RADIUS Servers, select your NPS Server and Move to Selected RADIUS Servers, click Finish 
   9. Back at the Setup Screen, Select Access Control
   10.  Under External RADIUS Authentication, check Enable
   11. Select your Authentication Type.  (Example:  MSCHAPv2)
   12. Select the Radius Server Group you configured in Steps 2.6-2.8
   13. Select the Default User Role of None
   14.  Click Save 

3. Configure Windows 2008 NPS

   

   

   1. Go to Network Policy and Access Services
   2. Select NPS (Local)
   3. Select RADIUS Clients and Servers
   4. Select RADIUS Clients
   5. Right-click RADIUS Clients and select New RADIUS Client
   6. Enter all the SmartPass Server details here: Friendly name (Example:  smartpass), IP address and shared secret key (exactly the same as the one configured in SmartPass Server) 
   7. Click OK to finish
   8. Select NPS (Local) again
   9. In the middle, notice the Getting started screen. Select RADIUS Server for 802.1X Wireless or Wired Connections from the drop-down list   
   10. Click on Configure 802.1X
   11. Select Secure Wired (Ethernet) Connections and give the policies a friendly name, click Next 
   12. Make sure the Radius client configured previously appears here, then click Next
   13. In Configure an Authentication Method, select Protected EAP (PEAP) from the drop-down list
   14. Click Configure and make sure you have a certificate to be used for EAP, then click OK 
   15. In Specify User Groups window select Add and find and select the User group created at step 1.6 
   16. In Configure a Virtual LAN (VLAN) window select Configure
   17. Go to the Vendor Specific attributes
   18. Click Add, select Vendor Specific, and click Edit
   19. Click Add, select Vendor Code 14525 (Trapeze), check “Yes, It conforms” button
   20. Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value Administrator
   21. Click OK, OK, OK, Close, and OK until you are back at Configure a Virtual LAN (VLAN)
   22. After getting back, click Next
   23. Notice 2 policies are created: one Connection Request policy (example:  SP-External Radius-Connection) and one Network policy (example:  SP-External Radius-Connection) NOTE:  These can be renamed to be more descriptive, such as SP-Admin-Access
   24.  Click Finish
   25. Edit the Connection Request policy that was just created
   26. Select NPS(Local), Policies, Connection Policies
   27. Find the Policy that was just created (example:  SP-External Radius-Connection) and go to Properties 
   28. Go to the Conditions Tab, then click Add
   29. Scroll down until you find Day and Time Restrictions, then click Add
   30. Select Permitted, then click OK 
   31. Select and Remove the Condition "NAS Port Type" so that only "Day and time restrictions remain", click OK
   32. This Connection Request Policy can be used for multiple Network Policies.  If you stop now, you will allow SmartPass Administrators to log in via External Radius Authentication.  Continue to the next step to allow Provisioning Users.

       

       

       

       

       

       

4. Network Policy for Provisioning Users

   

   

   

   

   

   

   

   

   1. Select NPS (Local), Policies, Connection Policies
   2. Find the Network Policy (example:  SP-External Radius-Connection) created earlier, right-click and select Duplicate Policy.  You will see the new Network Policy created. 
   3. Select and Go to Properties of the new Network Policy (Example:  Copy Of SP-Externat-Radius-Connection)
   4. In Overview enter a new Policy Name (Example:  SP-Provisioning-Access)
   5. Go to the Conditions Tab, remove the current Windows Group (Example:  SP-Admins)
   6. Click Add, select Windows Group, click Add, and click Add Groups
   7. Enter the name of the Windows Group you created in AD for Provisioning Users (Example:  SP-Provisioning). 
   8. Click OK until you are back at Conditions Tab showing only the new Condition 
   9. Select the Settings Tab
   10. Under RADIUS Attributes, select Vender Specific 
   11. Select the Current Attribute (Value Administrator) and Edit
   12. Edit this Attribute
   13. Verify the Vender Code is 14525 and “Yes. It conforms” radio button is selected
   14. Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value Provisioning 
   15. Click OK, click OK again.  You will be at the Attribute Information screen 
   16. Click Add, select Vendor Code 14525, and check “Yes, It conforms”
   17. Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value of the User Type found in SmartPass you wish the Provisioning User to create.  Below is an example of all the default User Types in SmartPass. 
       1-Hour Duration; 12-Hours Duration; 24-Hours Duration; 5-Days; 5-Days Business Hours 
   18. Click OK, click OK again.  You will be at the Attribute Information screen with two attributes listed 
   19. Click OK to go back to the Settings Tab.
   20. Click OK to go to the Network Policies Screen.
   21. “Enable” the new policy.  Right-click the policy and select Enable
   22. You are now Finished.

2020-02-23: Changed encrypted password to <pass>.