Configure RADIUS Server Authentication with Active Directory for Wireless Users
Before you configure your Firebox to use your Active Directory and RADIUS servers to authenticate wireless users, make sure that the settings described in this section are configured on your RADIUS and Active Directory servers. Windows Server 2016 and 2012 R2 are the supported RADIUS server platforms.
- For complete instructions to configure your RADIUS server or Active Directory server, see the vendor documentation for each server.
- For more information on how to configure wireless RADIUS authentication settings for the Gateway Wireless Controller and WatchGuard APs, go to Configure SSID Security Settings.
- For more information on how to configure wireless RADIUS authentications for a Firebox with wireless capabilities, go to Use a RADIUS Server for Wireless Authentication.
- You must add the IP addresses of your WatchGuard APs and the Firebox as RADIUS clients on your RADIUS server. WatchGuard APs make their own connections to the RADIUS server for authentication requests.
- Make sure your Firebox is added as a RADIUS client for other types of Firebox-based authentication.
- Make sure you enable RADIUS accounting in your SSID security settings. For more information, go to Configure SSID Security Settings.
Configure NPS for Windows Server 2016 or 2012 R2
- In Windows Server Manager, make sure NPS is installed with a Network Policy and Access Service role that uses the Network Policy Server role service.
- Add a new RADIUS Client to NPS that includes the IP addresses of your APs and your Firebox, uses the RADIUS Standard vendor, and sets the manual shared secret for the RADIUS server to match the shared secret configuration on your APs and Firebox.
- Add a network policy with these settings:
- Select the Active Directory user group that includes the wireless users you want to authenticate.
- Specify Access granted as the access permissions for the policy, and specify an EAP type.
- Add the attribute Filter-ID to the policy and specify the wireless user groups as the value. Make sure to remove Framed Protocol and Service-Type from the Attributes list.
Configure Active Directory Settings
When you configure these settings for your Active Directory server, you enable your RADIUS server to contact your Active Directory server for the user credentials and group information stored in your Active Directory database.
- In Active Directory Users and Computers on your Active Directory server, make sure that the remote access permissions are configured to Allow access to users.
- Register NPS or IAS to your Active Directory server.
About RADIUS Single Sign-On
You can use RADIUS Single Sign-On for wireless clients when you use WPA and WPA2 Enterprise authentication. For more information on RADIUS Single Sign-On, go to About RADIUS Single Sign-on.