Hello,
I developed Aruba - Windows 2008 R2 radius authention system with 802.1X PEAP.
I tried the same research in technet.microsoft.com or msdn, but there was not a good document.
Here I am going to explain required steps for Windows 2008 R2 server:
1. On Active directory or any member server (server which joins in the domain) install Active Directory Certificate Services
On Server Manager click Add Roles
Click Next to continue
Choose Active Directory Certificate Services and click Next
Click Next to continue
Click Certification Authority and click Next
Click Enterprise and click Next (Note: You need Windows 2008 R2 Enterprise version to choose Enterprise. If you have Windows 2008 R2 standard, you can only choose standalone)
Click Root CA and click Next
Choose Create a new private key and click Next
Keep dafault values (RSA#Microsoft Software Key Storage Provider 2048 , SHA1) and click Next
Keep the common name as displayed and click Next
Set Validity period (5 Years for CA) and click Next
Keep default values and click Next
Confirm the setting values and click Install.
2. On Active directory or any member server (server which joins in the domain) install Network Policy and Access Services
On Server Manager scren click Add Roles
Click Next to continue
Click Network Policy and Access Services and click Next
Click Next to continue
Select Network Policy Server and click Next
Click Install to install Network Policy and Access Services
On Server Manager screen, open the left pane and click on NPS(Local). On Getting started screen, choose RADIUS server for 802.1X Wireless or Wired Connections and click Configure 802.1X
Choose Secure Wireless Connctions. Leave default name "Secure Wireless Connections" and click Next.
Click Add to add RADIUS client.
On New RADIUS client screen, type in Wireless controller's friendly name and IP address. Click on Manual radio button and type in shared secret. Shared secret should match with Wireless controller. [NOTE: If you specify Loopback IP address on Aruba controller, but you should specify Interface IP address. For example, if your VLAN interface IP is 192.168.1.100 and Loopback(Controller IP) is 192.168.1.101, you still need to specify 192.168.1.100 here. You can confirm which IP address tries to speak to Windows 2008 R2 RADIUS by capturing Wireshark trace. Filter TCP 1812 packets to narrow capturing packets.
Choose Microsoft PEAP. [Note: This article only mentions about PEAP. There is another EAP-TLS. ]
Choose the certificate "servername.domainname". "domainname-servername-CA" is CA certificate and CA certificate cannot be used for 802.1X. If you only see CA certificate in the window, you need to create server certificate manually. This is Windows 2008 R2 known issue. Please refer to Windows Server Techcenter - Windows server forums - Network Access Protection - Having Issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2. Perform Mr. Greg Lindsay's step (Friday April 22, 2011 5:44pm) Try this: to re-issue a certificate.
Specify User Groups such as domainname\Domain Users. [Note: If user cannot be authenticated, you need to Allow each user's dial-in profile]
Configure Traffic Controls - click Next.
Click Finish to create NPS Policy.
Aruba controller setting:
Confuguration - Security - Authentication - Server Group and add new server group "Win2008"
Configuration - Security - Authentication - Radius server and add new radius server "Win2008RADIUS"
On Win2008RADIUS setting, type in Host IP (Windows 2008's IP address). Type key, which should match with Windows 2008's RADIUS client. Click Apply
Go back to Server Group Win2008 and under Servers click New. Choose Win2008RADIUS and click Add Server. Click Apply.
Now you can test RADIUS authentication. Diagonostics - Network - AAA Test Server - Choose Win2008RADIUS in the server name. Choose MSCHAPv2. Type in Windows Active Directory's user and password and click Begin Test. If test is successful, your RADIUS configuration is right. If you set Wireshark trace, you can observe Radius requet and Radius accept (TCP 1812) in the trace.