This article explains how to configure SmartPass server with a Windows 2008 NPS server to allow SmartPass administrators and provisioning users to log into the SmartPass server via an external RADIUS server. The instructions that follow assume there is a working Windows Active Directory environment and Windows 2008 server in place and that you have a working knowledge of both.
Example environment used:
- Windows 2003 AD with Windows 2008 NPS on separate machines in the same domain.
- SmartPass was installed on a separate Windows 2008 server.
Configuration from the controller:
set service-profile test-web ssid-name TAC-test
set service-profile test-web ssid-type clear
set service-profile test-web auth-fallthru web-portal
set service-profile test-web psk-encrypted <pass>
set service-profile test-web web-portal-form https://10.9.221.250:443/gp2/webportal/ext/webPortalAuthLogin
set service-profile test-web web-portal-acl testacl
set service-profile test-web rsn-ie auth-psk enable
set service-profile test-web attr vlan-name default
set security acl name testacl permit udp 0.0.0.0 255.255.255.255 eq 68 0.0.0.0 255.255.255.255 eq 67
set security acl name testacl permit ip 0.0.0.0 255.255.255.255 10.9.221.250 0.0.0.0
set security acl name testacl deny 0.0.0.0 255.255.255.255 capture
set radius server smartpass address 10.9.221.250 auth-port 1818 timeout 5 retransmit 3 deadtime 0 encrypted-key <pass>
set server group smartpass-grp members smartpass
set radius dac smartpass address 10.9.221.250 replay-protect disable encrypted-key 0119130a521b031d701e1d
set authentication web ssid TAC-test ** smartpass-grp
set authorization dynamic ssid TAC-test smartpass
-
Create User Groups in AD for both SmartPass Administrators and Provisioning Users
- Go to Active Directory Users and Computers
- Select your domain
- Go to Users
- Right Click Users
- Select New > Group
- Give your User Group a name (Example: SP-Admins and SP-Provisioning)
- Add existing users or create new users and add to the respective group. (Note: Verify the user has "Allow access" selected for Remote Access Permissions. This is found under the Dial-in Tab of the User Properties (Example: User name Smartpass Admin)

-
Modify your SmartPass Server




- Log into your SmartPass Server as Admin.
- Go to Setup and select Radius Servers Management
- Under Radius Servers, click Add
- Enter the Name and IP Address of your NPS Server along with the Shared Secret. (NOTE: Make a note of the Shared Secret. You will need it later when configuring the NPS Server.)
- Click Save
- Under Radius Server Groups, click Add
- Enter a name for your Server Group, click Next
- Under Available RADIUS Servers, select your NPS Server and Move to Selected RADIUS Servers, click Finish
- Back at the Setup Screen, Select Access Control
- Under External RADIUS Authentication, check Enable
- Select your Authentication Type. (Example: MSCHAPv2)
- Select the Radius Server Group you configured in Steps 2.6-2.8
- Select the Default User Role of None
- Click Save
-
Configure Windows 2008 NPS


- Go to Network Policy and Access Services
- Select NPS (Local)
- Select RADIUS Clients and Servers
- Select RADIUS Clients
- Right-click RADIUS Clients and select New RADIUS Client
- Enter all the SmartPass Server details here: Friendly name (Example: smartpass), IP address and shared secret key (exactly the same as the one configured in SmartPass Server)
- Click OK to finish
- Select NPS (Local) again
- In the middle, notice the Getting started screen. Select RADIUS Server for 802.1X Wireless or Wired Connections from the drop-down list
- Click on Configure 802.1X
- Select Secure Wired (Ethernet) Connections and give the policies a friendly name, click Next
- Make sure the Radius client configured previously appears here, then click Next
- In Configure an Authentication Method, select Protected EAP (PEAP) from the drop-down list
- Click Configure and make sure you have a certificate to be used for EAP, then click OK
- In Specify User Groups window select Add and find and select the User group created at step 1.6
- In Configure a Virtual LAN (VLAN) window select Configure
- Go to the Vendor Specific attributes
- Click Add, select Vendor Specific, and click Edit
- Click Add, select Vendor Code 14525 (Trapeze), check “Yes, It conforms” button
- Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value Administrator
- Click OK, OK, OK, Close, and OK until you are back at Configure a Virtual LAN (VLAN)
- After getting back, click Next
- Notice 2 policies are created: one Connection Request policy (example: SP-External Radius-Connection) and one Network policy (example: SP-External Radius-Connection) NOTE: These can be renamed to be more descriptive, such as SP-Admin-Access
- Click Finish
- Edit the Connection Request policy that was just created
- Select NPS(Local), Policies, Connection Policies
- Find the Policy that was just created (example: SP-External Radius-Connection) and go to Properties
- Go to the Conditions Tab, then click Add
- Scroll down until you find Day and Time Restrictions, then click Add
- Select Permitted, then click OK
- Select and Remove the Condition "NAS Port Type" so that only "Day and time restrictions remain", click OK
- This Connection Request Policy can be used for multiple Network Policies. If you stop now, you will allow SmartPass Administrators to log in via External Radius Authentication. Continue to the next step to allow Provisioning Users.






-
Network Policy for Provisioning Users








- Select NPS (Local), Policies, Connection Policies
- Find the Network Policy (example: SP-External Radius-Connection) created earlier, right-click and select Duplicate Policy. You will see the new Network Policy created.
- Select and Go to Properties of the new Network Policy (Example: Copy Of SP-Externat-Radius-Connection)
- In Overview enter a new Policy Name (Example: SP-Provisioning-Access)
- Go to the Conditions Tab, remove the current Windows Group (Example: SP-Admins)
- Click Add, select Windows Group, click Add, and click Add Groups
- Enter the name of the Windows Group you created in AD for Provisioning Users (Example: SP-Provisioning).
- Click OK until you are back at Conditions Tab showing only the new Condition
- Select the Settings Tab
- Under RADIUS Attributes, select Vender Specific
- Select the Current Attribute (Value Administrator) and Edit
- Edit this Attribute
- Verify the Vender Code is 14525 and “Yes. It conforms” radio button is selected
- Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value Provisioning
- Click OK, click OK again. You will be at the Attribute Information screen
- Click Add, select Vendor Code 14525, and check “Yes, It conforms”
- Click Configure Attribute, select VSA number 17, and attribute format String and the attribute value of the User Type found in SmartPass you wish the Provisioning User to create. Below is an example of all the default User Types in SmartPass.
1-Hour Duration; 12-Hours Duration; 24-Hours Duration; 5-Days; 5-Days Business Hours
- Click OK, click OK again. You will be at the Attribute Information screen with two attributes listed
- Click OK to go back to the Settings Tab.
- Click OK to go to the Network Policies Screen.
- “Enable” the new policy. Right-click the policy and select Enable
- You are now Finished.
2020-02-23: Changed encrypted password to <pass>.