Monday, July 18, 2011 1:37 PM
Looking for some guidance on how to get PKI implemented correctly with NPS used with WLAN.
I have setup the RADIUS client portion on the server, but can't put my finger on what else is missing from the setup.
Is there any documentation on how the implementation should be designed to communicate with backend AD for PKI.
Any help would be greatly appreciated.
Monday, July 18, 2011 11:04 PM
This guide explains how to create a server certificate for use with NPS:
- Core Network Companion Guide: Deploying Server Certificates at http://technet.microsoft.com/en-us/library/dd772727(WS.10).aspx
Then to deploy wireless access using PEAP-MS-CHAP v2, use this guide:
- Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access at http://technet.microsoft.com/en-us/library/ff919508(WS.10).aspx
PEAP-MS-CHAP v2 uses a server certificate so that NPS can prove its identity to clients that are connecting to the network; while users provide user name and password to log on.
As for NPS communication with AD, it is automatic; you don't need to configure anything for that to work.
Just make sure the RADIUS clients in NPS map directly to your APs and that you use the same shared secret per "AP/RADIUS Client in NPS" pair.
Also ensure that you enable EAP communication on your APs so that they forward authentication traffic to and from the NPS server and connecting client.
Hope that helps -
- Marked As Answer by Rick TanModerator Thursday, July 28, 2011 2:49 AM
Tuesday, July 19, 2011 6:43 PM
Thanks I will look into the links you provide.
Thursday, July 21, 2011 6:27 PM
I think I may be missing a cert. on the RADIUS server. The RADIUS server was created to handle client authentication only. We have DC's upstream that perform all the authentication.
Is that what could be missing on the RADIUS server??
I'm hardly a microsoft guru!
Thursday, July 21, 2011 8:41 PM
Hi Cedric -
Where or whether you need certificates depends on the authentication method that you want to use and how secure the authentication method is - basically the more certificates you use, the more secure the authentication method is, so that the most secure authentication method in Windows Server 2008 and R2 is Protected Extensible Authentication Protocol (PEAP) with Transport Layer Security, or PEAP-TLS.
With that authentication method, the NPS server uses a certificate to prove its identity to client computers (which helps defeat a malicious attack of someone deploying a fake NPS server), and client computers use a certificate to prove their identity to the NPS server.
The method we discussed before (PEAP-MS-CHAP v2) is similar, but easier to deploy and allows users to provide password based credentials rather than having a certificate on the computer or on a smart card.
So if you want to deploy PEAP-MS-CHAP v2 for wireless (which is recommended due to the good security and additional features that this authentication method provides for wireless, like PEAP fast reconnect), you need to have a certificate on the NPS server that client computers trust.
For clients to trust the certificate, they must have the issuing certification authority (CA) certificate in their Trusted Root Certification Authorities certificate store. (You can view this store on a client or server by clicking Run, typing MMC and Enter, and then adding the Certificates snap-in to the Microsoft Management Console.)
Also, just to clarify - when you deploy NPS, it performs authentication of the connecting client. With PEAP-MS-CHAP v2, it sends its certificate to the client, so the client authenticates the NPS server and verifies that it is genuine. In addition, the client sends the user credentials to NPS, and NPS then queries Active Directory to find out whether the credentials are valid.
In addition, NPS checks to ensure that the client is authorized to connect to the network. In other words, the credentials might be fine and the client or user is successfully authenticated, but that client or user might not have permission to connect to the network for a myriad of reasons, such as they're only allowed to connect between 8 and 5, or they aren't allowed to connect wirelessly, or whatever restrictions you might have configured.
Hope this is of some assistance...