locked
Windows 2012 R2 - NPS - RADIUS - PKI - Proper Certificate Template for the RADIUS Server and Client Workstation RRS feed

  • Question

  • Hi there!

    1. Environment: 1 forest of Windows 2008, 1 Active Directory domain, 2 Active Directory sites. There are remote locations without the domain controllers, but their IP networks are assigned to the existing Active Directory sites.
    2. We configured the NPS infrastructure which included the CA (Windows 2012 R2, domain member server), 2 NPS RADIUS servers (Windows 2012 R2, domain member server), 2+ NPS Clients (non-Microsoft network devices WAPs) and wireless laptops (Windows 7, 8, 8.1, domain workstation). Pre-shared secret is used to authenticate NPS RADIUS and NPS Clients (WAPs).
    3. There are 2 main office locations (which are AD sites) and each of the main office locations contains one of the NPS servers.
    4. There are more than 2 remote locations.
    5. Wireless clients are located in all main/remote office locations.

    So far the wireless laptops are authenticated properly using the security issued certificates. However, I would highly appreciate if could be so kind to explain some specifics about the certificate templates which are used for the security certificates!

    The same certificate template is used to generate the security certificates for NPS RADIUS server and wireless clients. This certificate template is duplicated from the RAS and IAS Server certificate template. It was done following the Technet article "NPS Server Certificate: Configure the Template and Autoenrollment"

    Questions:

    1. Is it possible to utilize the duplicates of the different templates:
      "Computer" - for the NPS RADIUS servers
      "Workstation Authentication" - for the wireless laptops
    2. If no, then what are the technical details of the requirement to use "RAS and IAS Server" certificate template.

    Thank you very much for your help in advance!

    Wednesday, March 26, 2014 5:06 AM

Answers

  • Hi,

    The answer to your question is yes these templates can be used as you have described.

    The only reason the RAS and IAS Server certificate is used in the article is because it has the Server Authentication EKU.  You can see this on the Extensions tab by clicking Application Policies. See the example below.

    See the topic "Certificate Requirements for PEAP and EAP" - on the third bullet: The computer certificate for the NPS server or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.).

    To perform client authentication, the template should have the client authentication EKU.

    As it happens, the RAS and IAS Server template has both server and client authentication EKU, so you can use it for both. You can use a "Computer" certificate template too, which has both client and server authentication EKU. The Workstation Authentication template has only client authentication EKU so you can't use this for the NPS server certificate but you could use it for wireless clients. Of course, all the other requirements must also be fulfilled, such as the subject name and subject alternative name requirements.

    -Greg


    Monday, March 31, 2014 11:01 PM

All replies

  • Hi,

    Based on my experience, since your environment is in a domain, you can add the NPS servers and the wireless users into different groups and set different permission to the groups with different certificate templates.

    In addition, you can configure autoenrollment so that each computer that is a member of the domain requests a computer certificate when Computer Configuration Group Policy is refreshed.

    Best regards,

    Susie

    Sunday, March 30, 2014 7:16 AM
  • Hi,

    The answer to your question is yes these templates can be used as you have described.

    The only reason the RAS and IAS Server certificate is used in the article is because it has the Server Authentication EKU.  You can see this on the Extensions tab by clicking Application Policies. See the example below.

    See the topic "Certificate Requirements for PEAP and EAP" - on the third bullet: The computer certificate for the NPS server or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.).

    To perform client authentication, the template should have the client authentication EKU.

    As it happens, the RAS and IAS Server template has both server and client authentication EKU, so you can use it for both. You can use a "Computer" certificate template too, which has both client and server authentication EKU. The Workstation Authentication template has only client authentication EKU so you can't use this for the NPS server certificate but you could use it for wireless clients. Of course, all the other requirements must also be fulfilled, such as the subject name and subject alternative name requirements.

    -Greg


    Monday, March 31, 2014 11:01 PM