Microsoft Windows 2012R2 CA and NPS Installation for Cisco vWLC

SERVER INFO:
AD1=AD+DNS+DHCP
IP 10.0.20.2
CA1=CA+NPS

IP 10.0.20.5

WLC
service ip 10.0.100.76
management ip 10.0.20.76

We are going to install CA+NPS in CA1 (not in AD1).
Reason:
a. You need to remove the CA services if you wanted to demote the Domain Controller

b. Not a requirement for Windows Server 2008 but back in the Windows 2003 Server days, the server you migrate the CA services to need to be the same name as the original so if your original CA server was DC01, the new one would also have to be DC01

1. run PowerShell as Administrator
>Import-Module ServerManager
>Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
>Add-WindowsFeature Web-Mgmt-Console
>Add-WindowsFeature Adcs-Web-Enrollment
>install-windowsfeature -name npas-policy-server -IncludeManagementTools
Reboot

2. configure AD CS
-Credentials
Credentials: DOMAIN\administrator
click Next
-Role Services
tick Certification Authority
tick Certification Authority Web Enrollment
click Next
-Setup Type
click Enterprise CA
click Next
-CA Type
click Root CA
click Next
-Private Key
click Create a new private key
click Next
-Cryptography
leave default
RSA 2048 SHA1
click Next
-CA Name
Common name for this CA: poc-CA1-CA
Distinguished name suffix: DC=poc,DC=com
Preview of distinguished name: CN=poc-CA1-CA,DC=poc,DC=com
click Next
-Validity Period
10 years
click Next
-Certificate Database
leave default
click Next
-Confirmation
leave default
click Configure
-Results

click Close

3. Create a WLC Certificate Template
-run Start/Programs/Administrative Tools/Certification Authority
-right click Server/Certificate Templates/Manage
-right click RAS and IAS Server/Duplicate Template
General:
Validity period 10 years
tick Publish certificate in Active Directory
Compatibility:
Certification Authority Windows Server 2012 R2
Certificate recipient Windows 8.1/Windows Server 2012 R2
Security:
click Authenticated Users
tick Read
tick Enroll

-right click Server/Certificate Templates/New/Certificate Template to Issue

choose WLC

4. Request a new certificate
-open CMD
>mmc
-click File Add/Remove Snap-in
click Certifictes
click Add
click Computer account
click Next
click Local computer
click Finish
click OK
-right click Certificates/Personal/Certificates/All Task/Request New Certificate
Before You Begin
click Next
Select Certificate Enrollment Policy
click Active Directory Enrollment Policy
click Next
Request Certificates
tick WLC
click Enroll

5. Export root certificate

-open CMD
>mmc
-click File Add/Remove Snap-in
click Certifictes
click Add
click Computer account
click Next
click Local computer
click Finish
click OK
-right click Certificates/Trusted Root Certification Authorities/Certificate/poc-CA1-CA-1/All Tasks/Export
Welcome to te Certificate Export Wizard
   click Next
Export File Format
   click DER encoded binary X.509
   click Next
File to Export
   click Next
Completing the Certificate Export Wizard
   click Finish
Send by email rootca.cer to user that has pc not join domain or IOS/Android user.

Ask them to open the cert to install into their device

6. Configure NPS
-run Start/Programs/Administrative Tools/Network Policy Server
-right click NPS (Local)/Register server in Active Directory

Image
-create a new Network Policy
Image
Image
Image
Image
Image

Image

7. Configure WLC
-open a browser and go to https://10.0.20.76
L: admin
P:

Image
Image
Image
Image

Image

8. Configure Client
-install rootca.cer from step 5
-now when you connect to NPS SSID. It will ask username and password.
type your AD username for example user1

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s