Setup RADIUS Server for Watchguard Wi-Fi Access Point Authentication

There are three different components discussed herein, Certificate creation, RADIUS server configuration and WatchGuard firewall configuration. I’ve left out the switch/networking portion, as it is mostly covered in the WatchGuard firewall section.

Self-Signed Certificate Creation

You need to create a Self-Signed Certificate on the RADIUS Server.
Open Windows PowerShell as an Administrator.

Enter the following at the prompt:

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DC1.Server.local

Note: Change the Bolded portion of the command line to the FQDNS name of the RADIUS Server.

Open MMC and add the Certificate to the Computer Account, Press OK.MMC

Highlight the Certificate you just created under Certificates>Personal>Certificates and Right Click and Copy.

Next, expand Trusted Root Certificate Authorities>Certificates and Paste the newly created Certificate there.


RADIUS Server Setup… 

Setup RADIUS Clients and be sure to use a Shared Secret at least 22 characters long.
Make sure to add each AP to the RADIUS Clients list.
RADIUS Clients

Create a Connection Request Policy as follows:
Connection Request Policy

Check Wireless – IEEE 802.11 under Common 802.11 connection tunnel types and Wireless – Other under Others in the NAS Port Type settings.
Secure Wireless Connections Policies

Leave all of the Settings under the configuration tab blank/default:
Settings

Create a Network Policy as follows:
Network Policies

Select the Windows Group and add the Security Group you created in AD to allow Wifi access…
This can be a specific group or Domain Users to allow everyone authenticated through AD.
Add NAS Port Type and select Wireless – IEEE 802.11 under Common 802.11 connection tunnel types and Wireless – Other under Others section.
Conditions

Ensure the Constraints tab is set as follows:
Add Microsoft Protected EAP (PEAP) as the EAP Type and verify there is an issued certificate.
Add Secured password (EAP-MSCHAP v2) as the EAP Type in the Protected EAP Properties.
Contraints

The Settings tab can just be left at its defaults.

If a particular setting wasn’t listed above, leave it as default or blank.


WatchGuard Firewall and Access Point setup…

In this configuration setup, there are four Access Points which broadcast two SSID’s, Secure and Guest.
Secure SSID is for RADIUS Authentication and Guest is for Internet Only access.

The network configuration is as follows:

VLAN 1 – default subnet, Trusted Zone, untagged (192.168.1.0/24)
VLAN 85 – Secure SSID, Trusted Zone, tagged (192.168.85.0/24)
VLAN 95 – Guest SSID, Optional Zone, tagged (192.168.95.0/24)
VLAN 254 – Voice, Trusted Zone, tagged (192.168.254.0/24)

VLAN 1, Firewall – Gateway for the data subnet under the NETWORK settings.
VLAN 1VLAN 85, Secure – Gateway for Secure SSID
SecureSetup DHCP under the Network tab to issue IP address configurations to Secure clients:
Secure DHCPVLAN 95, Guest – Gateway for Guest SSID
GuestSetup DHCP under the Network tab to issue IP address configurations to Guest clients:
Guest DHCPEach Access Point is to be configured as follows:
Assign each Access Point with a static IP address in your Default/Data VLAN subnet.
RADIUS Clients
Add each Unpaired Access Point to the Gateway Wireless Controller with the following under NETWORK settings:
Access PointsAccess pointsSetup SSIDs as follows:

Label the Network Name (SSID) for the Secure VLAN.
Check Enable VLAN tagging and enter the VLAN number for the Secure subnet.
Secure SSIDUnder the Security tab, configure the settings as follows:
Be sure to match the RADIUS Secret defined on the RADIUS Server and that it is at least 22 characters long.
Secure SecurityUnder the Access Points, select each Radio you wish to show as available for this SSID.
Secure RadiosLabel the Network Name (SSID) for the Guest VLAN.
Check Enable VLAN tagging and enter the VLAN number for the Guest subnet.

Guest SSID

Under the Security tab, configure the settings as follows:
Guest SecurityUnder the Access Points, select each Radio you wish to show as available for this SSID.
Guest RadiosNow, the Access Points should show up under the Gateway Wireless Controller.
Access Points
Add a Firewall Policy under FIREWALL settings as follows:
Firewall PolicyNext, click on the Policy to add the Access Points and RADIUS Server to the configuration.
Add each Access Point in the FROM list and the RADIUS Server in the TO list. Leave all else as defaults.
Policy SettingsAdd the Wifi Group defined in AD and select RADIUS as the Authentication Server under AUTHENTICATION settings.
The Group Name needs to match the Group defined in RADIUS Server allowed access to connect to the Access Points.
Add RADIUS GroupRADIUS Group

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s