Last modified at 5/7/2014 6:45 PM by Koen Zomers

It is possible to hook up a DLink DIR655 Access Point to your Windows domain using Windows 2008 Network Policy Server. Actually, this should work for any access point with WPA Enterprise and Radius support. This allows wireless devices supporting WPA Enterprise authentication to log on to your wireless network using their domain credentials. This on its turn gives you the ease of only maintaining your users in one central location: Active Directory. It also prevents having only one shared key that everybody uses and you can not change easily without everybody having to adjust their configuration, like with WPA PSK and WPA PSK2. So its far more secure.

Follow these steps to set this up:

  1. If you already have the Network Policy and Access Services role enabled on your server, you can skip to step 11. Otherwhise continue with the next step to add this role.
  2. Open up the Start menu, go to Administrative Tools and click on Server Manager

  3. In the Server Manager, in the tree on the left, go to Roles

  4. Wait for it to be done enumerating the roles. On the right, click on Add Roles

  5. Skip the introduction page, if it appears, by clicking on Next

  6. Put a checkmark in front of the Network Policy and Access Services and click Next 

  7. Click Next to continue with selecting the services you want to use
  8. Put a checkmark in front of Network Policy Server and click Next
  9. Click Install to start the instalation
  10. Wait for the installation to be done and click Close

  11. Open up the Start menu, go to Administrative Tools and click on Network Policy Server

  12. In the Network Policy Server application, expand RADIUS Clients and Servers and click on RADIUS Clients

  13. Right click on the RADIUS Clients node and choose New in the popup menu

  14. In the New RADIUS Client screen, enter a name that you find identifying for your access point, add the IP address or a DNS mapped name to your access point and either generate a shared secret or enter one manually. This shared secret is only needed to be entered in our access point configuration once. You do not need to enter it at every client connecting to the access point, so I would recommend generating one so it will be as difficult as possible. Copy/paste the shared secret into a notepad and keep it at a safe place. You'll need it lateron. Click OK once done entering the information.

  15. Navigate to Policies -> Connection Request Policies and right click on it. In the popup menu choose New.

  16. On the first step of the New Connection Request Policy wizard, enter Secure Connections in the Policy name field and click Next.

  17. In the next step, click the Add button. In the Select condition popup window that follows, scroll down to the NAS Port Type option, click on it and click on Add.

  18. In the NAS Port Type window that opens up next, in the middle section under Common 802.1X connection tunnel types, put a checkmark in front of Wireless - IEEE 802.11. In the bottom section called Others put a checkmark in front of Wireless - Other. Click OK.

  19. You should now see the condition as shown on the screenshot below added to the conditions list. Click Next to continue.

  20. On the next screen, leave all at the default settings and click Next to continue.

  21. On the next screen, put a checkmark in front of Override network policy authentication settings, also check Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) and check Microsoft Encrypted Authentication (MS-CHAP).

  22. Click on Add, in the Add EAP popup that follows select Microsoft: Protected EAP (PEAP) and click OK.

  23. Click Add again and this time in the Add EAP popup, select Microsoft: Secured password (EAP-MSCHAP v2) and click OK.

  24. Your screen should now look like the screen on the following screenshot. Click Next to continue.

  25. In the next screen, leave all unchanged and click Next to continue.

  26. The final step in this wizard is to confirm all settings. Click Finish to close the wizard.

  27. In the tree on the left, navigate to Policies -> Network Policies. Right click on it and in the popup menu click New.

  28. On the first step of the New Network Policy wizard, enter Secure Wireless Connections under Policy name and click Next.

  29. On the next screen, click Add. In the Select conditionpopup that follows, scroll down to NAS Port Type and click Add.

  30. In the NAS Port Type popup that follows, in the middle section named Common 802.1X connection tunnel types, put a checkmark in front of Wireless - IEEE 802.11. In the bottom section named Othersput a checkmark in front of Wireless - Other. Click OK.

  31. Click Add again to add another condition.

  32. In the Select condition popup, select Windows Groups and click Add.

  33. In the Windows Groups popup, click Add Groups and enter the group in your Active Directory domain which contains all users that you want to allow to log in to your Access Point. If you haven't created a group for this yet in Active Directory, do so now using the Active Directory Users and Computers application and enter the group here. Once you have added the group, click OK to close the window.

  34. You have now added two conditions to your new network policy. Click Next to continue.
  35. On the next screen, keep the defaults and click Next to continue.

  36. On the next screen, click the Add button. In the Add EAPpopup, select Microsoft: Protected EAP (PEAP) and click OK.

  37. Click Add again, this time in the Add EAP popup select Microsoft: Secured password (EAP-MSCHAP v2) and click OK.

  38. Click Next to continue.

  39. Keep the defaults in the next step and click Next to continue.

  40. On the next step, click on Encryption and uncheck all boxes except the one in front of Strongest encryption (MPPE 128-bit). Leave all other options at their defaults. Click Next to continue.

  41. The final step is to confirm all settings. Click Finish to close the wizard.

  42. Its now time to configure the DLink DIR655 Access Point for WPA Enterprise authentication. If you're using a different access point type, consult your manual how to enable WPA Enterprise.
    Open up your web browser and browse to the configuration pages on your DIR655. Once authenticated, click on Wireless Settings in the menu on the left.

  43. At the bottom, click on Manual Wireless Network Setup

  44. Under Wireless Network Settings, enter the settings as you wish. Under Wireless Security Mode, select WPA-Enterprise. Under WPA, select the settings as they fit for the clients that are going to use your access point. If possible, choose WPA Mode WPA2 Only, Cipher Type AES and Group Key Update Interval 3600 for the strongest protection.

  45. Under EAP (802.1X) enter the values as shown on the following screenshot. At RADIUS server Shared Secret enter the Shared Secret chosen at step 14 of this tutorial. At RADIUS server IP Address enter the IP address of the server on which you have configured Network Policy Server in this tutorial.

  46. Click Save Settings at the top to save your new configuration.

    You have now enabled WPA Enteprise on your DIR655. The DIR655 supports two wireless configurations. Not all wireless devices (like most older smartphones) support WPA Enterprise. You can configure the second wireless configuration on the DIR655 to use the traditional WPA2 PSK. Go to Advanced in the top menu and then to Guest Zone in the left menu to configure the second wireless profile on the DIR655 if you want to do so.

    Last but certainly not least is the configuration of the client to talk to the access point. We'll take a Windows 7 laptop for this tutorial.
  47. Go via the Windows Start button to Control Panel and click on View network status and tasks under Network and Internet

  48. In the left menu, click on Manage wireless networks

  49. Click on Add and in the wizard that opens up, choose Manually create a network profile

  50. On the next screen, enter the network name you provided for your network at step 44 of this tutorial, choose Security type WPA2-Enterprise, Encryption type AES and click Next.

  51. Click the Change connection settings link and in the Wireless Network Properties popup, navigate to the Securitytab.

  52. Click on the Settings button. In the Protected EAP Properties popup, uncheck Validate server certificate and click OK.

  53. Back in the Wireless Network Properties window, click Advanced Settings
  54. Put a check in front of Specify authentication mode and choose the User authentication option. Click OK to close the popup. Click OK again to close the Wireless Network Propertieswindow.

  55. You should now be able to connect to your wireless network. When connecting, it should prompt you to enter your credentials. Enter the credentials from an Active Directory account in the format <domain>\<username> which should have access to the wireless network.