How To Configure WPA3 Enterprise Using Microsoft’s Network Policy Server

WPA3-Enterprise provides enhanced security for enterprise wireless networks by offering stronger encryption and authentication mechanisms. Integrating it with Microsoft Network Policy Server (NPS) for RADIUS authentication ensures secure user access. This guide walks through the step-by-step configuration of WPA3-Enterprise with NPS.

Prerequisites

Before configuring WPA3-Enterprise with NPS, ensure the following:

• A Windows Server running NPS (Network Policy Server)
• A compatible WPA3-Enterprise-capable access point (AP) and client devices
• A domain controller (Active Directory) for user authentication
• A valid TLS certificate for EAP authentication

Step 1: Install and Configure Network Policy Server (NPS)

1. Open Server Manager on your Windows Server.
2. Click Manage > Add Roles and Features.
3. Select Network Policy and Access Services > Network Policy Server (NPS) and complete the installation.
4. Open NPS Console (nps.msc in the Run dialog).
5. Register NPS in Active Directory:

• Right-click NPS (Local) and select Register server in Active Directory.

Step 2: Configure RADIUS Clients (Access Points)

1. In the NPS console, expand RADIUS Clients and Servers.
2. Right-click RADIUS Clients and select New.
3. Enter a Friendly Name (e.g., “Access Point 1”).
4. Enter the IP Address of the wireless access point.
5. Set a Shared Secret (ensure this matches on the access point configuration).
6. Click OK to save.

Step 3: Create a Network Policy for WPA3-Enterprise

1. In the NPS console, navigate to Policies > Network Policies.
2. Right-click Network Policies and select New.
3. Name the policy (e.g., “WPA3 Enterprise Authentication”).
4. Under Conditions, click Add and choose Windows Groups.
5. Select the user groups allowed to authenticate (e.g., “Domain Users”).
6. Click Next and select Access granted.
7. Under Authentication Methods, enable Microsoft: Smart Card or other certificate (EAP-TLS).
8. Configure the certificate settings:

• Ensure a valid server certificate is installed on NPS.
• Enable Validate client certificate.
• Ensure Do not prompt user to authorize new servers is checked.

1. Click Next, configure settings as needed, and finish the policy setup.

Step 4: Configure Your Wireless Access Point (AP)

1. Log in to your access point’s management interface.
2. Navigate to Wireless Security Settings.
3. Select WPA3-Enterprise as the security mode.
4. Choose 802.1X authentication (RADIUS).
5. Enter the RADIUS Server IP Address (NPS server’s IP).
6. Enter the Shared Secret (same as configured in NPS RADIUS clients).
7. Save and apply settings.

Step 5: Configure Client Devices

1. Ensure the client device supports WPA3-Enterprise.
2. Open Wi-Fi settings and select the configured WPA3 network.
3. Choose Enterprise authentication and select EAP-TLS.
4. Install the required client certificate if not pre-installed.
5. Connect and verify authentication logs on the NPS server.

Step 6: Verify and Troubleshoot

1. Check the Event Viewer on the NPS server for authentication logs.
2. Verify the RADIUS client configuration (IP, shared secret) matches on both the AP and NPS.
3. Ensure the correct CA certificate is installed on client devices.
4. Confirm that user accounts are in the authorized security group.

Conclusion

Configuring WPA3-Enterprise with Microsoft NPS for RADIUS authentication enhances network security by leveraging strong encryption and centralized user authentication. By following these steps, administrators can deploy a secure enterprise wireless network that ensures robust security and access control.