locked
Issue in deploying EAP-TLS using NPS Server 2008 CA and Windows 7 RRS feed

  • Question

  • Hi there,

    I am trying to put WPA-Enterprise security on my wireless network. In my environment, most of the wireless users are Non-Domain users including Mobile phones. Now at first I started with PEAP Authentication and that worked for me. I was using Server 2008 Root CA, NPS as radius server and different clients including non window also.

    When I enabled PEAP authentication, clients used to ask domain username and password, once the username and password are entered, all different clients were getting connected with my WPA-Enterprise wireless enabled.

    Then I thought to use certificate-based-authentication that is EAP-TLS, reason administrative overhead. For each user I would need to create a domain user account and if they forget the username or password then thats going to be another headache.

    So When I changed my Network Policies in NPS to accept EAP-TLS by selecting "Smart card or other certificate" option for authentication and respective changes on clientside. My wireless is no longer working with the new settings.

    I found that EAP-TLS requires user certificate on the client side to authenticate user and a computer certificate on the NPS server. NPS server already have the computer certificate and then I issued a user certificate and imported to the client under "Trusted Root Authority" it didnt work either.

    I also enabled web enrollment and got a user certificate from that but still my client says "A certificate is required to connect to SSID, contact your network administrator"

    Can anybody tell me a simple way to authenticate wireless clients using certificates. I am ready to import the certificates to the clients manually.

    Thanks in Advance.


    Network Engineer
    Tuesday, March 1, 2011 6:50 AM

Answers

  •  

    Solved!!

    Wireless clients require 2 certificates to be imported. One certificate is the Root CA certificate that would make trust relationship with the certificate authority and the other certificate would be user certificate for authentication.

    Root CA certificate will be imported in the Trust Root Authority under User Account and the user certificate will be imported in Personal under User Account. I used web enrolement tool to get these certificates.

    NPS already has a computer certificate installed and running on "Smart card or other certificate" authentication option.

    That's all!!

    All the best..


    Network Engineer
    • Marked as answer by Fahad Afzal Tuesday, March 1, 2011 12:06 PM
    Tuesday, March 1, 2011 12:06 PM

All replies

  •  

    Can anybody correct me if I am wrong

    NPS server would have a computer certificate with Server Aunthentication EKU and the client would need a user certificate with Client Authentication EKU??


    Network Engineer
    Tuesday, March 1, 2011 7:35 AM
  •  

    Solved!!

    Wireless clients require 2 certificates to be imported. One certificate is the Root CA certificate that would make trust relationship with the certificate authority and the other certificate would be user certificate for authentication.

    Root CA certificate will be imported in the Trust Root Authority under User Account and the user certificate will be imported in Personal under User Account. I used web enrolement tool to get these certificates.

    NPS already has a computer certificate installed and running on "Smart card or other certificate" authentication option.

    That's all!!

    All the best..


    Network Engineer
    • Marked as answer by Fahad Afzal Tuesday, March 1, 2011 12:06 PM
    Tuesday, March 1, 2011 12:06 PM
  • Hello fahad,

     

    i have a question about this type of authentication, i understand that i have to create two certificates one Root CA and user certificate, once i have created it, i need to install booth in the NPS server and in the client device. then i have to create a policy in the NPS in order to configure a policy for Smart card or other certificate. Then when the user go to connect to the SSID, some kind of authentication login appear in the client machine?? or the certificates is the only thing that the client needs in order to get associated with the SSID??

     

    Thanks and regards

    Friday, July 15, 2011 8:38 AM
  •  

    Hi Jose,

    A computer certificate will be loaded in the NPS server, where as Root CA and the user certificates will have to imported on client side. While configuring wireless profile on the client, you will validate the server certificate and CA authority will have to be selected in order to get authenticated from.

    User will not be asked for any credentials as you are authenticating client through certificates.

    I hope that I have answered your question.


    Network Engineer
    Monday, August 8, 2011 7:04 PM
  • Thanks for your reply!!

     

    I'll try this week to test your configuration i'll post here if works for me :)

    Tuesday, August 16, 2011 6:46 AM
  • Hi Fahad,

     can I confirm, when you chose "Smart card or other certificate", you were using EAP-TLS on NPS server 2008R2? I have got it working with PEAP-MsCHAPv2, however was not sure where I could choose "EAP-TLS". Did you see "EAP-TLS" listed on NPS logs?

    On the same note,  let say we have a supplicant and a new user. We want this new user to be using a particular WLAN. for example, a new student in Year7, so we want this user to be automatically connected to Year7WLAN as soon as he logs in. So, am I correct in saying, we are looking at the laptop connecting to the Year7 WLAN even before the new user logs in? Would this be vlan tagging based on computer accounts? any suggestions would be much appreciated!!

     

    Thank you,

    Sunday, August 28, 2011 12:26 PM