DD-WRT RADIUS Authentication w/ Server 2008 R2

First off a few words of thanks / reference:

  1. Most of this is based on the information presented in:

  2. Will deserves credit for tweaking the settings to finally get it working.

I presume you know what you’re doing and why you need this. And I also presume you have a working WPA2 Personal wireless access point running DD-WRT – if you’re running something else this howto will still be useful but you will need to adjust the DD-WRT specifics.

Now on with the show:

  1. Install the Network Policy and Access Services role with it’s Network Policy Server service.
    Install NAP Role
    Install NPS Service
  2. Create a certificate for RADIUS (hint: MMC is available already on Server 2008 R2 – Start -> Run: MMC) by opening MMC and adding the Certificates snap-in for a Computer Account on the Local Computer and then Requesting a new certificate (see image).
    New Certificate

    When you are creating your certificate it needs to be for a Computer.

    If "Computer" is not available under Active Directory Enrollment Policy then you will need to grant the Enrol privilege to the machine you are requesting the certificate on. If you have multiple sites with a DC at each site (that will be doing RADIUS authentication) just grant the Domain Controllers group the Enrol privilege. You have to do this from Server Manager on the server that has ADCS installed.
    Computer Certificate Template Properties

    Back to requesting the certificate. Click the details button and then properties: fill in any information you want for the certificate. At the very least give your certificate a Friendly Name so you can recognise it later.
    Certificate Details

    When you’re ready click the Enrol button. You should now see your new certificate listed in the Certificates folder in the Certificates snap-in. Close the MMC now – save if you want.

  3. Startup the Network Policy Server (either standalone or through Server Manager).
    Open NPS Role Manager
  4. Register NPS in Active Directory.
    Register NPS in AD
  5. First we’ll create a RADIUS Client (this is your DD-WRT AP). The guides I referenced above suggest using the wizard now… you can do that but it didn’t fully work for me – some of the policies had to be removed.
    New RADIUS Client

    The settings for your RADIUS Client are fairly straight forward just make sure you keep a copy of your shared secret for later on (especially if you use the generate function).

  6. Now we need to update the default Connection Request Policy (I chose to adapt the default as it suited me well; you could duplicate and disable or start from scratch it’s up to you). The default policy essentially allows anyone to attempt local authentication 24/7. I changed the policy in two areas: firstly the name and secondly the time and days (i.e. turn off weekend access).
    Connection Request Policy Properties

    You should not need to change ANYTHING on the Settings tab. But make sure that under Authentication the Authenticate requests on this server option is selected.

  7. Next create a new Network Policy:

    • Give your policy a name.
    • Type of network access server: Unspecified.
    • Conditions: Whatever you want! Seriously there are plenty of options here.

      My implementation called for two groups (i.e. AD Security Groups): one for Users with access to wireless and another for Computers that may connect wirelessly. I have two groups due to other group policy design considerations you could achieve the same thing with one group. Or you could list users with wireless access here. Or IP addresses. Or… as stated before there are plenty of options. It is worth noting here that ALL conditions must be met so I would suggest you use Windows Groups if you want an "in either" implementation – it does NOT make sense to use both Machine and User groups in the same policy (unless you have users that should not have wireless access, logging on to a machine, that can be used wirelessly, and has other users logging on that should have wireless access… in other words keep it simple!).

      Remember if you are logging in over wireless it will help if your computers can join the network before the user logs in (i.e. make sure KNOWN wireless computers are granted access here).

      There is one essential condition: NAS Port Type! You only want Wireless clients right?

    • Generally speaking you’ll want: Access granted. It’s all I’m covering too.
    • EAP Types:
      • Click Add: Choose "Microsoft: Protected EAP (PEAP)"
      • Select the added entry click Edit.
      • Nominate the certificate you created above (see the Friendly Name).
      • You’ll also want to enable fast reconnect and have "Secured Password (EAP-MSCHAP v2)" under Eap Types.
      • Leave the Less secure authentication methods enabled (change it later once it’s working – or leave it to support older/other clients).

      EAP Security Types

    • Constraints: I left all defaults as I covered everything with Conditions already. What’s the difference? Conditions determine if the policy should be used; Constraints grant/deny access. For my limited restrictions they are essentially the same thing.
    • Settings: More choices for you to make! Two things you definately must do:

      • Delete: Framed-Protocol PPP.
      • Encryption: Choose what you want – I only have strongest enabled.
    • Check your settings and click Finish.
    • At this stage you should restart the Network Policy Server service.
  8. It’s time to configure DD-WRT browse to: Wireless -> Wireless Security.
    DD-WRT Settings

And that’s it!

Well ok not really now you should test! You can find the NPS log files in %WINDIR%\System32\LogFiles\IN*.txt – configured correctly the old IAS Log Viewer can read the files. But be warned the LogFiles folder doesn’t show up in a file tree (you’ll have to type).

Once you are confident your clients and users can authenticate properly you should consider using group policy to deploy the wireless profile.

  • Pingback: AndyB » Tutorial: DD-WRT RADIUS Authentication w/ Server 2008 R2

  • shuggie67

    Tried this following your recomendations as well as a few others and can not connect from wireless clients.
    I’m using 1 user group to allow for access.

    • http://andrewbevitt.com Andrew Bevitt

      What does the NPS logs say in the Event Viewer? Are you actually getting auth requests? Also try changing the NPS client to the wireless access points IP instead of DNS namem (if your DNS server is on the same machine as your NPS).

  • mattdavidson

    Followed your tutorial but I can’t connect either. When I try to connect no new log entries are created so i don’t know if dd-wrt isn’t connecting or the server isn’t listening

    • http://andrewbevitt.com Andrew Bevitt

      It’s been a while since I looked at this so I’m really having to guess. If you turn logging on i dd-wrt to the most verbose level you can plus increase the nps logs verbosity. You should either see in nps that dd-wrt requests are denied or in the dd-wrt logs that it can’t connect. If it’s the latter try the ip instead of domain name and also try enabling all access in the firewall for your dd-wrt ip.

  • andrewisett

    In response to mattdavidson – I had a similar issue, and was using a very old build of ddwrt, which must have had some issues with WPA2 Enterprise, I don’t have exact version numbers, but it was a 2009 build, running on a WRT54GS. As soon as I upgraded to a new router (ASUS RT-n16), with a newer build (12-20-2011) all settings worked.

  • http://gravatar.com/gwpc114 gwpc114

    If you want to use this for more than one SSID and you want different people to be able to connect to different SSIDs then copy the network policy and add a “Called Station ID” condition on both. The value to look for is “.*ssidName$”. The “.*” is for the MAC of the access point which may change as you add and replace APs, and the “$” means the end of the string (so “wireless” and “wireless1″ don’t match).

  • http://www.facebook.com/ShaneBryanAus Shane Bryan

    I’m presently stumped setting this up. I’m not using a certificate though, is that vital?

    I have NAP role installed onto the 2008R2 server, the policies setup, the router configured. My iPhone (test wifi device) prompts for Username & Password (a good sign it’s not just using a router wi-fi key) but constantly says my username & password is wrong.

    Which it isn’t, it’s my domain account.

    • http://andrewbevitt.com Andrew Bevitt

      @Shane

      If you’re using PEAP, as I was, then yes you need the certificate (true for any of the authentication methods that require encryption). Beyond that if your authentication request is being rejected by the server the connection/authentication failure event will be in the logs (Event Viewer) from memory it’s under the NPS section. If there is nothing in the log then you know the DD-WRT AP is not forwarding the request.

      When using a non-domain client you may also need to specify the full domain username i.e. username@domain.site or DOMAIN\username

  • Zach

    Andrew thanks for the post. I have been trying to get a radius VPN running all week and been using your guide to set it up. I have run into a issue that I cant really figure out. After setting everything up and when I try to connect VPN I get the error:

    Verifying user name and password… Error 629: The connection was closed by the remote computer.

    But if I look in the NPS Log in the event viewer it doesn’t show any error. But I get 2 events:
    1) Network Policy Server granted full access to a user because the host met the defined health policy.
    2) Network Policy Server granted access to a user.

    Anything I can look at?

    Thanks for any insight.

    • http://andrewbevitt.com Andrew Bevitt

      @Zach

      I did do a similar thing using pfsense + this same RADIUS setup. I believe the NPS settings remained the same all I did was added an extra RADIUS client for the VPN terminator…. So if you’re getting NPS logs indicating a successful authentication, which you are, then I would suggest it is actually an issue with your VPN setup.

  • Brian

    Nice article. I’m having a little trouble though… I followed your steps exactly, except the option to register the NPS server in AD was grayed out, but I think that’s because it already was registered in the AD. When I try to authenticate to the network, it prompts me for username and password (good), but fails to connect. Event viewers information is that “The client could not be authenticated because the EAP type cannot be processed by the server.

    Any ideas? Thanks!

    • http://andrewbevitt.com Andrew Bevitt

      @Brian

      Totally guessing here but I would suggest you go back to the EAP types settings and enable all of the methods (including the less secure ones) and see if you can get it working with everything enabled. If that lets you connect then you can remove protocols until you find the one that your client appears to be using. I used GP to set the wireless security settings to match the protocols I enabled so also make sure the client wireless config is using a protocol that you have enabled.

      • Brian

        Thanks for your quick reply! I already enabled all the EAP types… is there a spot in DD-WRT that you know of that can select the EAP type? I am using DD-WRT v24-sp2 (07/20/12) mega.

        Thanks again for your help!

        • http://andrewbevitt.com Andrew Bevitt

          @Brian

          Not that I’m aware of. The only other thing I can think of is that your AD server either does not have a security certificate or the certificate is for the wrong type of account (it must be for a computer account). Try removing NPS from AD (something like this), then re-create a certificate for RADIUS, then re-register NPS in AD.