Last modified at 5/7/2014 6:45 PM by Koen Zomers

It is possible to hook up a DLink DIR655 Access Point to your Windows domain using Windows 2008 Network Policy Server. Actually, this should work for any access point with WPA Enterprise and Radius support. This allows wireless devices supporting WPA Enterprise authentication to log on to your wireless network using their domain credentials. This on its turn gives you the ease of only maintaining your users in one central location: Active Directory. It also prevents having only one shared key that everybody uses and you can not change easily without everybody having to adjust their configuration, like with WPA PSK and WPA PSK2. So its far more secure.

Follow these steps to set this up:

  1. If you already have the Network Policy and Access Services role enabled on your server, you can skip to step 11. Otherwhise continue with the next step to add this role.
  2. Open up the Start menu, go to Administrative Tools and click on Server Manager

    DIR655WpaPskEntServerManagerLink.png
  3. In the Server Manager, in the tree on the left, go to Roles

    DIR655WpaPskEntServerManagerRoles.png
  4. Wait for it to be done enumerating the roles. On the right, click on Add Roles

    DIR655WpaPskEntServerManagerAddRole.png
  5. Skip the introduction page, if it appears, by clicking on Next

    DIR655WpaPskEntServerManagerAddRoleNPSBegin.png
  6. Put a checkmark in front of the Network Policy and Access Services and click Next 

    DIR655WpaPskEntServerManagerAddRoleNPS.png
  7. Click Next to continue with selecting the services you want to use
    DIR655WpaPskEntServerManagerAddRoleNPSStart.png
  8. Put a checkmark in front of Network Policy Server and click Next
    DIR655WpaPskEntServerManagerAddRoleNPSServices.png
  9. Click Install to start the instalation
    DIR655WpaPskEntServerManagerAddRoleNPSReadyToInstall.png
  10. Wait for the installation to be done and click Close

    DIR655WpaPskEntServerManagerAddRoleNPSServicesDone.png
  11. Open up the Start menu, go to Administrative Tools and click on Network Policy Server

    DIR655WpaPskEntNPSLink.png
  12. In the Network Policy Server application, expand RADIUS Clients and Servers and click on RADIUS Clients

    DIR655WpaPskEntNPSConfigRadiusClients.png
  13. Right click on the RADIUS Clients node and choose New in the popup menu

    DIR655WpaPskEntNPSNewRadiusClientMenu.png
  14. In the New RADIUS Client screen, enter a name that you find identifying for your access point, add the IP address or a DNS mapped name to your access point and either generate a shared secret or enter one manually. This shared secret is only needed to be entered in our access point configuration once. You do not need to enter it at every client connecting to the access point, so I would recommend generating one so it will be as difficult as possible. Copy/paste the shared secret into a notepad and keep it at a safe place. You'll need it lateron. Click OK once done entering the information.

    DIR655WpaPskEntNPSNewRadiusClientScreen.png
  15. Navigate to Policies -> Connection Request Policies and right click on it. In the popup menu choose New.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyMenu.png
  16. On the first step of the New Connection Request Policy wizard, enter Secure Connections in the Policy name field and click Next.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep1.png
  17. In the next step, click the Add button. In the Select condition popup window that follows, scroll down to the NAS Port Type option, click on it and click on Add.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep2-1.png
  18. In the NAS Port Type window that opens up next, in the middle section under Common 802.1X connection tunnel types, put a checkmark in front of Wireless - IEEE 802.11. In the bottom section called Others put a checkmark in front of Wireless - Other. Click OK.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep2-2.png
  19. You should now see the condition as shown on the screenshot below added to the conditions list. Click Next to continue.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep2-3.png
  20. On the next screen, leave all at the default settings and click Next to continue.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep3.png
  21. On the next screen, put a checkmark in front of Override network policy authentication settings, also check Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) and check Microsoft Encrypted Authentication (MS-CHAP).

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep4-1.png
  22. Click on Add, in the Add EAP popup that follows select Microsoft: Protected EAP (PEAP) and click OK.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep4-2.png
  23. Click Add again and this time in the Add EAP popup, select Microsoft: Secured password (EAP-MSCHAP v2) and click OK.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep4-3.png
  24. Your screen should now look like the screen on the following screenshot. Click Next to continue.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep4-4.png
  25. In the next screen, leave all unchanged and click Next to continue.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep5.png
  26. The final step in this wizard is to confirm all settings. Click Finish to close the wizard.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep6.png
  27. In the tree on the left, navigate to Policies -> Network Policies. Right click on it and in the popup menu click New.

    DIR655WpaPskEntNPSNewNetworkPolicyMenu.png
  28. On the first step of the New Network Policy wizard, enter Secure Wireless Connections under Policy name and click Next.

    DIR655WpaPskEntNPSNewNetworkPolicyStep1.png
  29. On the next screen, click Add. In the Select conditionpopup that follows, scroll down to NAS Port Type and click Add.

    DIR655WpaPskEntNPSNewNetworkPolicyStep2-1.png
  30. In the NAS Port Type popup that follows, in the middle section named Common 802.1X connection tunnel types, put a checkmark in front of Wireless - IEEE 802.11. In the bottom section named Othersput a checkmark in front of Wireless - Other. Click OK.

    DIR655WpaPskEntNPSNewNetworkPolicyStep2-2.png
  31. Click Add again to add another condition.

    DIR655WpaPskEntNPSNewNetworkPolicyStep2-3.png
  32. In the Select condition popup, select Windows Groups and click Add.

    DIR655WpaPskEntNPSNewNetworkPolicyStep2-4.png
  33. In the Windows Groups popup, click Add Groups and enter the group in your Active Directory domain which contains all users that you want to allow to log in to your Access Point. If you haven't created a group for this yet in Active Directory, do so now using the Active Directory Users and Computers application and enter the group here. Once you have added the group, click OK to close the window.

    DIR655WpaPskEntNPSNewNetworkPolicyStep2-5.png
  34. You have now added two conditions to your new network policy. Click Next to continue.
  35. On the next screen, keep the defaults and click Next to continue.

    DIR655WpaPskEntNPSNewNetworkPolicyStep3.png
  36. On the next screen, click the Add button. In the Add EAPpopup, select Microsoft: Protected EAP (PEAP) and click OK.

    DIR655WpaPskEntNPSNewNetworkPolicyStep4-1.png
  37. Click Add again, this time in the Add EAP popup select Microsoft: Secured password (EAP-MSCHAP v2) and click OK.

    DIR655WpaPskEntNPSNewNetworkPolicyStep4-2.png
  38. Click Next to continue.

    DIR655WpaPskEntNPSNewConnectionRequestPolicyStep4-4.png
  39. Keep the defaults in the next step and click Next to continue.

    DIR655WpaPskEntNPSNewNetworkPolicyStep5.png
  40. On the next step, click on Encryption and uncheck all boxes except the one in front of Strongest encryption (MPPE 128-bit). Leave all other options at their defaults. Click Next to continue.

    DIR655WpaPskEntNPSNewNetworkPolicyStep6.png
  41. The final step is to confirm all settings. Click Finish to close the wizard.

    DIR655WpaPskEntNPSNewNetworkPolicyStep7.png
  42. Its now time to configure the DLink DIR655 Access Point for WPA Enterprise authentication. If you're using a different access point type, consult your manual how to enable WPA Enterprise.
    Open up your web browser and browse to the configuration pages on your DIR655. Once authenticated, click on Wireless Settings in the menu on the left.

    DIR655WpaPskEntDirConfigWirelessSettings.png
  43. At the bottom, click on Manual Wireless Network Setup

    DIR655WpaPskEntDirConfigManualWirelessSettings.png
  44. Under Wireless Network Settings, enter the settings as you wish. Under Wireless Security Mode, select WPA-Enterprise. Under WPA, select the settings as they fit for the clients that are going to use your access point. If possible, choose WPA Mode WPA2 Only, Cipher Type AES and Group Key Update Interval 3600 for the strongest protection.

    DIR655WpaPskEntDirConfigWirelessSettings-1.png
  45. Under EAP (802.1X) enter the values as shown on the following screenshot. At RADIUS server Shared Secret enter the Shared Secret chosen at step 14 of this tutorial. At RADIUS server IP Address enter the IP address of the server on which you have configured Network Policy Server in this tutorial.

    DIR655WpaPskEntDirConfigWirelessSettings-2.png
  46. Click Save Settings at the top to save your new configuration.

    You have now enabled WPA Enteprise on your DIR655. The DIR655 supports two wireless configurations. Not all wireless devices (like most older smartphones) support WPA Enterprise. You can configure the second wireless configuration on the DIR655 to use the traditional WPA2 PSK. Go to Advanced in the top menu and then to Guest Zone in the left menu to configure the second wireless profile on the DIR655 if you want to do so.

    Last but certainly not least is the configuration of the client to talk to the access point. We'll take a Windows 7 laptop for this tutorial.
  47. Go via the Windows Start button to Control Panel and click on View network status and tasks under Network and Internet

    DIR655WpaPskEntWin7ConfigControlPanel.png
  48. In the left menu, click on Manage wireless networks

    DIR655WpaPskEntWin7ConfigManageWirelessNetworks.png
  49. Click on Add and in the wizard that opens up, choose Manually create a network profile

    DIR655WpaPskEntWin7ConfigAddWireless.png
  50. On the next screen, enter the network name you provided for your network at step 44 of this tutorial, choose Security type WPA2-Enterprise, Encryption type AES and click Next.

    DIR655WpaPskEntWin7ConfigAddWireless-2.png
  51. Click the Change connection settings link and in the Wireless Network Properties popup, navigate to the Securitytab.

    DIR655WpaPskEntWin7ConfigAddWireless-3.png
  52. Click on the Settings button. In the Protected EAP Properties popup, uncheck Validate server certificate and click OK.

    DIR655WpaPskEntWin7ConfigAddWireless-4.png
  53. Back in the Wireless Network Properties window, click Advanced Settings
  54. Put a check in front of Specify authentication mode and choose the User authentication option. Click OK to close the popup. Click OK again to close the Wireless Network Propertieswindow.

    DIR655WpaPskEntWin7ConfigAddWireless-5.png
  55. You should now be able to connect to your wireless network. When connecting, it should prompt you to enter your credentials. Enter the credentials from an Active Directory account in the format <domain>\<username> which should have access to the wireless network.