eduroam FE workshops and Microsoft NPS

I’ve recently been working on some eduroam FE workshops with a cross Jisc team of Esmat Mirzamany , Edward Wincott and Noel McDaid, these workshops have primarily been aimed at FE organisations who have signed up to eduroam(UK), but have never completed their deployment.  We’ve successfully delivered workshops to IT staff from colleges in London and Manchester.

Amongst a number of topics within the eduroam FE workshops; I’ve also demo’d the deployment of Microsoft NPS (Network Policy Server) for organisations who want to use this RADIUS deployment for the ORPS (Organisational RADIUS Proxy Server), this is the home RADIUS server that authenticates your users whilst at Home and Visiting, but also forwards Visitors requests to the NRPS (National RADIUS Proxy Servers) run for eduroam UK and by Jisc.

Whilst we work to review our guide(s), then I’m putting up a “run through” of what I believe to be the preferred and best practice method for eduroam(UK) participants wishing to deploy Microsoft NPS, based on my demo at the workshops

During this I will refer to both the “GÉANT NPS guide” – Using Windows® NPS as RADIUS in eduroam“, and the “Jisc NPS guide” eduroam(UK) Microsoft NPS Configuration Guide extensively.

If you are setting up eduroam / your RADIUS infrastructure from scratch then you start by reading the Limitations section 2 on Page 6 of the GÉANT NPS guide, the situation is that whilst Microsoft NPS is not the preferred RADIUS deployment within eduroam, many organisations are unable or unwilling to run the preferred RADIUS solution which is FreeRADIUS.

Certificates and Certificate Authority

Assuming you don’t have an existing CA (Certificate Authority) that is suitable and you want to create a CA under Windows on your new RADIUS server, then you will be following from Appendix A, Sections A1 and A2 of the GÉANT NPS guide.  Although it’s worth noting that this uses the Enterprise CA, this stores the CA in Active Directory and uses Web Enrolment.  In a lot of circumstances it will be better to use the Standalone CA, in case in the future you change your RADIUS deployment, or Active Directory, then it could be exported.

Ensure that your CAs lifetime is long for example 20+ years. This will be the certificate that goes onto end user devices, so you want to replace it as little as possible.  You should add a valid CRL Distribution point added (see Step 24/25 of this guide on deploying a standalone root CA ), this will be a URL that should reference a domain name that you have control over and could feasibly host a file if required for example http://www.camford.ac.uk/eduroam-ca.crl

You should also tweak the default validity of the certificates issued by your CA as the default one year is too short, you could align this to the lifetime of the CA or slightly greater.  See this guide on How to change CA Certificate Validity Period

You can then follow the Jisc NPS guide, until page 17 where it says ‘Send the CSR file to your Certificate Authority for signing e.g. Janet Certificate Service’, you should use your newly created CA to sign the certificate rather than relying on an external CA, such as the Jisc (formerly Janet) Certificate Service as the Jisc NPS guide described.

The process for using the Standalone CA is well documented, so I suggest using the Certificate Authority snap-in to ‘Submit new Request’ referring to the CSR file you’ve generated, and in ‘Pending Requests’ to then ‘Issue’ a certificate.  Move to ‘Issued Certificates’ and open the new certificate, in ‘Details’ choose ‘Copy to File’.

Now continue with page 17/18 of the Jisc NPS guide.

If you are adding an additional NPS server or rebuilding your RADIUS infrastructure e.g. on Microsoft NPS, then you need to make sure you transfer the CA from the existing solution. That would need some consideration, but the main thing to achieve is that the new server has the public key of the CA, and private and public key of the server certificate installed.  You don’t need to worry about the DNS name matching the CommonName of the certificate, as 802.1x clients whilst aren’t authenticating cannot perform DNS lookups.

If the existing CA was deployed as part of a FreeRADIUS install then you could continue to manage it with OpenSSL or similar.

NPS configuration

Follow on from page 19 “Add NRPS RADIUS Client” until the end of the Jisc NPS guide to complete the majority of your configuration.

On Page 53 of the Jisc NPS guide, you should also make sure you have clicked on and followed the process to ‘Register server in Active Directory’.  Note, this process can fail if the server you are running NPS on has been cloned and not fully prepared e.g. using sysprep.

If on Page 47 under the Protected EAP properties, you get an error, then there is a problem with your installed certificate.

Following this we recommend some basic testing and also following this guide (RADIUS Attribute Filtering in Microsoft IAS and NPS) to perform RADIUS attribute filtering which is noted in the limitations section of the GÉANT NPS guide as something you should do with NPS.  You can combine this area with setting up Dynamic VLAN assignment, which is one of the key benefits of using 802.1x/WPA2 Enterprise in your network, and will be needed to comply with the technical specification for sites offering Home and Visited access.

Any comments

I’d welcome any comments here, or to me directly, or through our eduroam-FE Jiscmail list.  Our intention is to improve the Jisc NPS guide based on the above and your comments.

Leave a Reply

Your email address will not be published. Required fields are marked *