locked
Configure NPS to check certificate purposes before granting network authorization RRS feed

  • Question

  • Hello,

    I want my NPS Radius server (on Windows Server 2008R2) to check if particulars OID are present on the clients' certificate before allowing them access to my wifi network.

    I cannot find out this specific option.

    I can ask it to enable an EAP-TLS authorisation policy and check client's certificate, but i also want that My radius server checks some OID's présence in the the client's certificate.

    Can you help me please ?

    Thanks :-)

    Best regards

    fred


    Wednesday, January 6, 2016 5:02 PM

Answers

  • Hi Fredus,

    As far as I know, NPS server doesn't have this configuration to check client certificate's OID. And after some research, I got the same result.

    So, it seems we couldn't achieve this goal via NPS server.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, January 13, 2016 1:41 AM

All replies

  • Hi Fredus,

    Based on my understanding, you are talking about the "Enhanced Key Usage" of clients certificate.

    For NPS RADIUS server, if we use certificate for connection authentication. We need to do the following configurations.

    We may have an AD CS server to issue certificates for server and client. On CS server, we may create two certificates, one for client and another for server. When create the certificate, we need to configure Enhanced Key Usage for each certificate. For example, client certificate, we need to add "client authentication" and other necessary usages.

    Then client will request to enroll certificate from the AD CS server, it needs to enroll the certificate that EKU is configured with "client authentication", if enroll other certification with incorrect EKU, then client will fail the authentication.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, January 7, 2016 3:19 AM
  • Hello Anne,

    Thanks for your reply.

    I will explain better my question and the context (Sorry for my language i'm not fluent in english).

    Aim : I want that my Wireless client (Laptop) can connect on my Wireless Acces point only if the client's certificate contain specific OID on it.

    I want that My Radius Server check the presence of the OID/EKU 1.3.6.1.4.1.311.21.32 on the client's certificate before allowing acces to the Wireless Network.

    This OID /EKU proove that the client's certificate private key  is protected by Laptops TPM's chip.

    So, if Everthing works well, only Laptops having certificate protected by TPM chip can connect to the Wireless Network.

    Other clients (that do not have protected certificate by TPM chip) cannot connect on the wireless Acces point.

    In my lab I have :

    - ADCS Server that is the Entreprise CA (Win2012R2 server)

    => For the certificate configuration with Microsoft Platform Crypto Provider i followed this guide :

    https://technet.microsoft.com/en-us/library/dn581921.aspx

    - ADDS Server and NPS (Microsoft) server on the same VM (Win2008R2)

    - 1 Client Computer that is a Domain Member and having a client computer certifiate issued by CA with correct OID/EKU on it (Windows 8.1 X64Pro).

    I'm trying to find the specific settings on the Radius Server that wich allow check of the presence of the OID/EKU on the client certificate which want to connect to the Wireless Acces point.

    But I do not find it :-/

    Is Anybody can Help me to find how activate this Option / check on the Radius Server please ?

    Thanks for help ;-)

    Best Regards,

    Fred









    Thursday, January 7, 2016 10:48 AM
  • Hi Fredus,

    As far as I know, NPS server doesn't have this configuration to check client certificate's OID. And after some research, I got the same result.

    So, it seems we couldn't achieve this goal via NPS server.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Wednesday, January 13, 2016 1:41 AM