locked
Radius authentication PKI and mobile devices RRS feed

  • Question

  • Hi,

    I would like to know why a user can join to the network using an Ipad or a Cellphone if I set up my Acces Point and my Radius server to use certificates. 

    My infrastructure and configuration is as follows.

    Server 1

    - AD DS with one OU called "My company Wirelles Access"

    - Inside this OU I have a computer called "NB-Peter" and a security group called "Wireless Users" and contains a user called "James"

    - Linked to this OU I have a GPO with:

                          - Wireless Network poilicies (Vista)

                                Checked: Use Windows WLAN Autoconfig Service for clients

                                 Profile Name: My Company

                                 Authentication WPA2- Enterprise

                                 Encryption: AES

                                Select network Authentication method: Microsoft protected EAP

                                Authentication Mode: User re.authentication

                            At the Network permissións Tab:

                                  Network Type: Infrastruture

                                  Permission: Allow

                        - Public Key Policies

                                   Automatic Certificate Request Settings: Computer

                                and Certificate Services Client - Autoenrollment: Enabled

                                           Checked: Renew Expired certificates........

                                           Checked: Updates Certificates that use certificates templates.

    At Server 2 (RADSVR):

       Active Directory Certificate Services (Enterprise PKI)

        NPS (Local)

           Radius Clients: pointing to the IP of the Cisco Wireless Lan Controler

           Policies:

              - Connection Request policies:

                       Policy Name: My company Wireless Connections

                             Overview: Policy Enabled, Type of network Access Server: Unspecified

                              Conditions: NAS Port Type: Wireless IEEE 802.11

                              Settings: Authentication Methods: Checked Override Network Policy authentication

                             EAP Types: Microsoft Protected EAP (PEAP)

                                 EAP Properties: Certificated issued RADSVR.domain.com

                                 EAP Types: Secured Password (EAP-MSCHAP v2)

                              Authentication: Authenticate requests on this server

          Network Policy:

                             Conditions:Allowed EAP Types, Microsoft Protected EAP, or Microsoft secured password (EAP- MSCHAP v2)

                             Constraints:Authentication Methods:

                                                EAP Types: Microsoft Protected EAP (PEAP)

                                                  EAP Properties: Certificated issued RADSVR.domain.com

                                                   EAP Types: Secured Password (EAP-MSCHAP v2)

    Everything else leave it with their defaults.

    I did my test with 2 notebooks and 2 mobile devices

     

    First test:

    notebook : NB- PETER (in Domain)

    User: James

    Result: Everything ok, the user could connect to the network and use internet

     

    Second test

    Notebook: X (Not in domain)

    User: James

    Result: As expected (User could not join to the network)

     

    Third test:

    IPad (Not in domain)

    User: James

    Result: The user can join to the network

    Fourth test:

    Xperia Arc mobile

    User: James

    Result: The user can join to the network

     

    Thanks in advance for your help.

     

     


    Friday, January 20, 2012 7:59 PM

Answers

  • Hi there -

    If the non-domain joined devices trust the CA that issued the server certificate, or if their PEAP properties are configured to NOT check the server certificate, it makes sense that user authentication is successful.

    So to troubleshoot I would do the following:

    - Find out whether the non-domain joined devices have the server-cert issuing CA's certificate in their Trusted Root Certification Authorities store (or whatever the equivalent is for this cert store on these devices). If you purchased your server cert from a third party CA, such as Verisign, it is possible that the Verisign CA is trusted by default on these devices.

    - If the devices do not trust the CA that issued the server cert to your NPS server, then check the PEAP settings on each device to ensure they are configured to validate the NPS server certificate during the EAP authentication process.

    Thanks -

     


    James McIllece
    Friday, January 20, 2012 9:40 PM

All replies

  • Hi there -

    If the non-domain joined devices trust the CA that issued the server certificate, or if their PEAP properties are configured to NOT check the server certificate, it makes sense that user authentication is successful.

    So to troubleshoot I would do the following:

    - Find out whether the non-domain joined devices have the server-cert issuing CA's certificate in their Trusted Root Certification Authorities store (or whatever the equivalent is for this cert store on these devices). If you purchased your server cert from a third party CA, such as Verisign, it is possible that the Verisign CA is trusted by default on these devices.

    - If the devices do not trust the CA that issued the server cert to your NPS server, then check the PEAP settings on each device to ensure they are configured to validate the NPS server certificate during the EAP authentication process.

    Thanks -

     


    James McIllece
    Friday, January 20, 2012 9:40 PM
  • Hello James,

    What Ive done is change the Authentication Mode: User re.authentication to computer authentication.

    And at Conditions:Allowed EAP Types, Microsoft Protected EAP, or Microsoft secured password (EAP- MSCHAP v2), I include a security group that contains only the notebooks that are permited to use the AP.

    Everything works fine, only computers that joined to the domain obatins a certificate an authenticate agains the radius server, but there is one more thing that I cant figure out how to do. If a notebook obtains a certificate, any user that logins in thar notebook are able to connect to the acces point, cause Im using computer authentication.

    I dont know how to restrict to other users the access to the network from the same notebook.

     

    Thanks again.

     

    Thursday, January 26, 2012 11:02 PM