802.1X Details 2

0. AD DC CA Group Policy

AD is similar to a database. Store user name password computer and other information. IAS reads the user name password in AD for authentication.

User vs Computer:

Users, such as a Lanny user built in AD. The user can log on to many computers.

Computer: a physical entity.

Two forms of organization of Computer in network

1, the Working Group

Domain (Unified management & Unified Authentication)

Unified Management: Group Policy. such as batch to the domain of the computer deployment software, disable software, issued certificates and so on.

Unified authentication: Centralized account management, universal.

3,DC: server2008 with AD

4,CA:CA Issue certificate, 802.1x link namely Eapol&radius environment need certificate authentication identity.

5,

First, build ad: (Dns&ad same body)

1, modify the computer name Dcserver

2, fixed DC ip,dns pointing to itself

3,dcpromo Select DC and Dns:fadn write mxl.com

4, after reboot check:

5, change DNS

6, check DNSServer 4+6 (AD registered)

net stop Netlogon

Net start Netlogon

7, check the computer name DCServer.mxl.com

8, open ad,dc in the DomainController group. Don't move it at random.

The computers added later are assigned to Commputer.

9, the local user becomes a domain user. The Users group is viewed in AD.

Second, join the computer to the domain:

1, change the computer name of XP

2. Configure DNS for XP DNS to DC

3, create an organizational unit TAC

Automatically categorize a defined group when the computer is joined to a domain

4, create user Maxiaolang

5, create computer WinXP (XP name)

6,xp into the TAC after joining the domain

You can also manually:

A new group was created

New XP dragged into a group

Third, domain users are added to the local Administrators group:

Log on with the local administrator and then modify the Administrators group members.

Iv. Unified Management

1, Group Policy Management (administrative users and Computers)

2, #管理所有组织单元

Default Domain Policy

3,default Concollers is to defend the DC, generally do not move

4, #管理各个组织单元的:

Default Domain Controller Policy

V. For a specific build Group Policy

1, new Group Policy object Tacgpo

2. Right-click Edit Windows Settings

3, prohibit the use of software, calc other rules new hash rules find calc.exe

4, drag the Tacgpo to TAC to enable the strategy. ,

Gpupdate/force

Vi. Installing Active Directory Certificate Services (HTTP)

1, use Group Policy to tell the computer which certification authority to trust

Download the certificate HTTP certsrv

Default Domain Policy import for Group Policies

Gpupdate/force

Seven, the domain user request certificate

Unsolicited application: MMC certificate personal application

Group Policy issued domain user certificate

Certificate templates-User certificates-Replication-security (autoenrollment registration)

Certificate template Create a new certificate to issue

Eight, you can change the complexity of the password:

Modify Default Domain security settings

Local Policy account Policy

Ix. Installation of Radius

Registering the server in AD enables IAS to read the accounts inside the ad.

Start the NPS service

Initialize IAS, add 802.1x wireless (by the way, add clients), encrypt the selection of PEAP (and, of course, select which groups in the ad have access rights)

Add RADIUS Client

To add a policy:

Modify the secure wireless connection, remove all constraints, and add a time plan. Delete the other entries.

Modify the network policy, remove all constraints, and add a time plan. Delete the other entries.

Troubleshooting:

Look at the log (when ad is installed)

or Event Viewer

Tip

1, DNS for the User VLAN interface and DNS for WAC must point to the DNS of the DC. Otherwise, there may be an authentication problem,

2,win8 10 does not require automatic configuration of the tool configuration.

3, when a domain user logs on to a computer that is connected wirelessly, the domain Account Authentication service is used by default.

If you want to let the domain account do also need to enter the account password, in the ad Group Policy, modify the WiFi policy, tick "Do not allow shared user credentials for network authentication", issued Group Policy login again need to enter the account password.

This article is from the "Lannyma" blog, make sure to keep this source http://lannyma.blog.51cto.com/4544390/1736948

802.1X Details 2