locked
NPS - Connecting to NPS RADIUS without using certificates RRS feed

  • Question

  • Hi,

    I am setting up a wireless network for work. I would like users to access wireless using RADIUS authentication from the NPS server. I have working the username and password access prompt with certificate authentication. My problem is with the certificates complexity for the user, it's difficult to install certificates on each laptop. I have two options:

    1. Switch of the certificate authentication and only have the RADIUS username and passord to access the internet.
    2. Somehow distribute easily the certificate keys to users laptops for installation. Most of my laptop users have low computer knowledge.

    Thanks in advance.

    Saturday, February 18, 2012 1:06 PM

Answers

  • Hi Stokie,

    Thanks for posting here.

    I think by using script may will help us to achieve the goal , here is an sample for reference, once we execute the script locally, certificate should be imported to the specified certificate store on client. it seems just like what we did in SBS:

    Certification File Manager
    http://gallery.technet.microsoft.com/scriptcenter/Certification-File-Manager-be4a6848

    Or perhaps we can get a better method form Security or Official Script Guy forum :

    http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, February 21, 2012 7:26 AM
  • Hi,

    Well I've created the Guest SSID access, it has its own VLAN and ACL's only allowing access to our Intranet webserver. This page is were the user can download the certificates. To provide a simple certificate installation package for the user I used the command line tool certutil.exe. The following command can be used to add the certificates to local store.

    certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer
    check out this website for creating a executable batch file

    http://poweradmin.se/blog/2010/01/23/how-to-distribute-root-certificates-as-exe-files/

    Since I dont have a Wireless Controller to automatically redirect the user to our Guest home page for the certificate download, then I may (also looking into alternatives) use a single Linksys WRT54G series router with is placed in our campus library with a captive portal software installed. Once the user downloads the certificates then they can use the Secure network for accessing LAN services.

    Will keep this thread posted

    • Marked as answer by Stokie Mike Monday, February 27, 2012 12:31 PM
    Wednesday, February 22, 2012 11:47 AM

  • Hi,

    Just thought I would finalise this thread for others. So my result was as follows:

    I first created a Captive Portal; well its actually a DNS re-director from http://dnsredirector.com/. I used software installed on a Windows 2008 R2 VM. I created a page that provides the Certificates installation file, see previous post.

    On the WAP4410n AP I used two SSID's (guest and secure). I configured using the AP's GUI a separate VLAN for each SSID (VLAN and Qos page). The same VLAN for Guest is the same for the Captive Portal machine. Therefore only allowing access from the Guest WLAN to the Captive Portal (DNS re-director) and no other services. See http://www.definit.co.uk/2011/06/configuring-guest-wireless-network-restricted-access-production-vlans/ for information using Cisco products.

    The Secure SSID is on the same VLAN as the web server, Intranet servers and NPS RADIUS machine. Once the user download the certificates and AntiVirus from the Guest WLAN they can access the secure WLAN.

    Now I can use certificates easily and have a secure WLAN

    Hope this helps people in the future

    • Edited by Stokie Mike Wednesday, February 29, 2012 12:15 PM
    • Marked as answer by Stokie Mike Wednesday, February 29, 2012 12:15 PM
    Wednesday, February 29, 2012 12:11 PM

All replies

  • Hi.

    Are the computers in an Active Directory? In that case you should be able to use the AD:Certificate Services and enable auto certificate enrollment via GPO.


    Oscar Virot

    • Proposed as answer by Ace Fekay [MCT] Saturday, February 18, 2012 6:10 PM
    Saturday, February 18, 2012 3:01 PM
  • Hi Mike,

    I agree with Oscar, if these are AD joined laptops, you can take advantage of Autoenrollment.

    If not, you can create a cert install package. If you know anyone with an SBS server, you can "borrow" the cert installer package that comes with it. It's a small utility that you can customize it by adding your cert (and the intermediate cert, if needed) to the package, distribute it by either emailing it, or making it accessible on a website, and it will install the cert(s) in the appropriate cert store. If you can gain access to an SBS 2008 or 2011 installation, the cert installer package is located at:

     •Local Disk: c:\users\Public\Public Downloads
     •UNC: \\servername\Public\Public Downloads
     •UNC: \\sites\Public\Public Downloads

    Here'a a thread discussing this:
    Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it)
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0688c1de-8199-42cd-8e5b-911a581eb22f/ 

    .

    As for setting up NPS without the cert, you would have to re-configure everything to not use EAP or PEAP, and simply setup the RADIUS username and password on the AP to the NPS. There will be nothing needed on the client laptop side, since you'll only be using RADIUS auth between the RADIUS client (the AP), and the RADIUS server (NPS). The cert method provides security by authenticating clients (the cert is passed from the client to the NPS during the initial connection), but if you remove it, it will only be between the AP and NPS.

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Saturday, February 18, 2012 6:22 PM
  • Hi,

    Thanks for your information. Unfortuantly non of the laptops are AD joined as they are all personal laptops and some guest ones. So I think the no certificates are an option as they only access the Internet and its not a security risk.

    I've tried for a week now to configure RADIUS without certificates but the NPS server rejects the request. I am using a WAP-4410n wireless AP. I have the AP's security mode as WAP2-mixed Enterprise but what settings should I have the NPS server Authentication Methods?

    Thanks

    Monday, February 20, 2012 5:58 AM
  • I have AD installed but the laptops are not part of AD
    Monday, February 20, 2012 5:58 AM
  • Here'a a thread discussing this:

    Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it)
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0688c1de-8199-42cd-8e5b-911a581eb22f/

    Great posting about "Network Policy Server doesn't send intermediate certificates". Thanks
    Monday, February 20, 2012 6:07 AM
  • Here'a a thread discussing this:

    Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it)
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0688c1de-8199-42cd-8e5b-911a581eb22f/

    Great posting about "Network Policy Server doesn't send intermediate certificates". Thanks

    I hope it helps. Many of the public CAs offer a utility to make sure that their intermediate certs are installed. I use Digicert for my customers, and it's one of the things I need to run to make sure I install Digicert's intermediate cert.

    Try that SBS installer. Let us know how it works.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, February 20, 2012 6:21 AM
  • Hi Stokie,

    Thanks for posting here.

    It seems we are using password based authentication method so far . In this case non domain client computers must have the NPS server certificate installed locally in the Trusted Root Certification Authorities certificate store. And this can be done by manually installing by administrator or download it form web site and import it to local host:

    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/3d09809b-ca5d-4486-845d-fe061547ddba

    For more information please refer to the article below:

    Certificates and NPS
    http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Monday, February 20, 2012 8:49 AM
  • Hi,

    Thanks Tiger for the information, some good stuffs there. So after much thought I have concluded that I have to go down the certificate route, here is my plan:

    What do you think?

    My problem now is how to get the user to effeciently install the certificate. What I need is a Certificate Installer Package. Previous post by Ace told me there is one in Windows SBS 2008; any idea of another method to create an installer without the use of Windows SBS.

    I have tried to get users to install both the root certificate and CA certificate to allow access, but they get confused when I give the instructions to change the certificate store location, why don't the "Automatically select the certificate store based on the type of certificate" work correctly - am using Win7 client for testing purposes.

    Thanks




    • Edited by Stokie Mike Monday, February 20, 2012 11:43 AM
    Monday, February 20, 2012 11:38 AM
  • Hi Stokie,

    Thanks for posting here.

    I think by using script may will help us to achieve the goal , here is an sample for reference, once we execute the script locally, certificate should be imported to the specified certificate store on client. it seems just like what we did in SBS:

    Certification File Manager
    http://gallery.technet.microsoft.com/scriptcenter/Certification-File-Manager-be4a6848

    Or perhaps we can get a better method form Security or Official Script Guy forum :

    http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, February 21, 2012 7:26 AM
  • Hi Tiger,

    Great idea on the Certification File Manager. I will set on to creating this system, may take a day or two. Will post my results here once I have tried the script.

    Thanks again

    Tuesday, February 21, 2012 12:04 PM
  • Hi,

    Well I've created the Guest SSID access, it has its own VLAN and ACL's only allowing access to our Intranet webserver. This page is were the user can download the certificates. To provide a simple certificate installation package for the user I used the command line tool certutil.exe. The following command can be used to add the certificates to local store.

    certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer
    check out this website for creating a executable batch file

    http://poweradmin.se/blog/2010/01/23/how-to-distribute-root-certificates-as-exe-files/

    Since I dont have a Wireless Controller to automatically redirect the user to our Guest home page for the certificate download, then I may (also looking into alternatives) use a single Linksys WRT54G series router with is placed in our campus library with a captive portal software installed. Once the user downloads the certificates then they can use the Secure network for accessing LAN services.

    Will keep this thread posted

    • Marked as answer by Stokie Mike Monday, February 27, 2012 12:31 PM
    Wednesday, February 22, 2012 11:47 AM

  • Hi,

    Just thought I would finalise this thread for others. So my result was as follows:

    I first created a Captive Portal; well its actually a DNS re-director from http://dnsredirector.com/. I used software installed on a Windows 2008 R2 VM. I created a page that provides the Certificates installation file, see previous post.

    On the WAP4410n AP I used two SSID's (guest and secure). I configured using the AP's GUI a separate VLAN for each SSID (VLAN and Qos page). The same VLAN for Guest is the same for the Captive Portal machine. Therefore only allowing access from the Guest WLAN to the Captive Portal (DNS re-director) and no other services. See http://www.definit.co.uk/2011/06/configuring-guest-wireless-network-restricted-access-production-vlans/ for information using Cisco products.

    The Secure SSID is on the same VLAN as the web server, Intranet servers and NPS RADIUS machine. Once the user download the certificates and AntiVirus from the Guest WLAN they can access the secure WLAN.

    Now I can use certificates easily and have a secure WLAN

    Hope this helps people in the future

    • Edited by Stokie Mike Wednesday, February 29, 2012 12:15 PM
    • Marked as answer by Stokie Mike Wednesday, February 29, 2012 12:15 PM
    Wednesday, February 29, 2012 12:11 PM
  • Glad to hear you've come up with a solution and especially sharing it with us.

    Cheers!


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Wednesday, February 29, 2012 5:11 PM
  • Hi

    I am new here.

    I need more about the same for NPS RADIUS on win 2008 R2 for domain and non domain wireless clients.

    Is it possible to send me step by step detailed information to set up this solution.

    Thanks

    Sunday, June 10, 2012 9:25 AM
  • Hi Harish,

    Sorry did not see your post. Did you still need the setup information?

    Mike

    Sunday, September 9, 2012 11:00 AM
  • Mike, 

    Is it possible you can post a step by step doc on this to help others?

    Thanks!


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Sunday, September 9, 2012 2:11 PM
  • Hi,

    Great idea, I will get one posted very soon, I hope you can give me comments back once posted.

    Mike

    Monday, September 10, 2012 7:26 AM
  • Absolutely. And thank you!

    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, September 10, 2012 7:31 AM