Radius authentication Issues with Multiple CA's in domain. RRS feed

  • Question

  • Hello,

    We currently have a Root CA which is also the Issuing CA setup on the same Windows 2003 DC. This CA server has published client computer certs to all our workstations/laptops in the domain.  The client /computer cert is used during authentication to connect to our corporate wireless. 

    We are currently using EAP-TLS for our wireless authentication which basically checks for server as well client side certs. We have a production Radius Server and a Testing Radius Server.  On both of  Radius /NPS Server, We are have selected "Microsoft:Smart or certificate" as the authentication type under EAP  settings

    The plan is to retire this old Windows 2003 setup and start everything fresh on Windows 2012 platform. We do not want to migrate the current PKI but want to setup a new PKI from scratch.

    So, I have setup a new Root  and  an Enterprise Issuing CA server  both on Windows 2012 R2 , in parallel to the Windows 2003 server for testing .  This 2012 ROOT CA is standalone and has not been joined to our domain . So it is not conflicting with the current Windows 2003 CA.  Also, on the new 2012 issuing CA server, i created a computer template and issued it to a cpl of workstations for testing purposes.    I can see a new computer certificate coming from this new issuing CA in the " Personal Certificates" store of those test workstations in addition to existing certificates issued by the 2003 CA.    My Test Radius Server has also been configured to use a server certificate  that has been issued from this 2012 CA as its proof of identity. 

    Now i am unable to connect to corporate wireless from these workstations.  The moment i delete this client computer cert coming from new 2012 CA, the workstation is able to authenticate successfully to the Radius server and connect.  Is it that 2 client certs which are in the personal certificate store of that PC are conflicting with each other ?  I am not clear as in why would they conflict with each and why upon deleting the new cert, i can connect successfully using the old client cert ?  It seems that there is some dependency that my Test Radius Server still looks for and authenticates ONLY if the client computer certificate is issued by the old Windows 2003 CA instead of the 2012 Issuing CA.

    • Edited by Neeraj_Shah Sunday, February 1, 2015 8:54 PM typo
    Sunday, February 1, 2015 8:49 PM

All replies

  • Hi Neeraj_Shah,

    With EAP-TLS the minimum certificate requirement is client certificate is issued by an enterprise certification authority (CA), or it maps to a user account or to a computer account in the Active Directory directory service, therefore you can not use the standalone CA.

    Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

    I’m glad to be of help to you!

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact

    Tuesday, February 3, 2015 6:41 AM
  • Hello Alex,

    Thanks for replying.  I get that and we have EAP TLS already in place and working fine via a Windows 2003 Domain Controller which is also our Enterprise Root and Issuing CA.   Al client computers joined to our domain have a computer certificate in their PERSONAL store for client/server authentication issued by this Windows 2003 DC. 

    The problem i am facing is,

    i have setup a parallel environment as follows on a new WIndows 2012 PKI setup.  Lets say Server A is the new Windows 2012 Offline standalone root CA and Server B is the new WIndows 2012 Enterprise Issuing CA.  This is all in the same domain where the Windows 2003 CA mentioned above resides since it is  a parallel environment.

    I also have a Server C which is acting as a test Radius Server.  This radius server has received a certificate from the Server A Root CA in its store and is also configured to use this cert as its PROOF of identity in the EAP settings.

    I have published new computer templates/certificates coming from Server B to cpl of test laptops joined to the domain.  The certificate chain correctly reads "Server A->ServerB->" on each client certificate.  So, the personal certificate store on each of these laptops has 2 computer certificates now (1) One issued by the new Windows 2012 Server B (2) The other one from the Original Windows 2003 Root CA. 

     Now when we attempt to connect to a test wireless Access Point from these test laptops, the Radius Server ( Server C)  fails to authenticate them.  Technically this should work because the laptop has the comp certficate in its store.  We are seeing that the moment , we delete the computer certificate issued by the Windows 2012 ServerB on the laptop , it successfully connects to the wireless network.  So that means, Radius server is still looking for a certificate issued by the old Windows 2003 CA and that is why it is able to authenticate them successfully.    Hope i am clear.  

    How can i make my client laptops present the correct certificate out of the 2 it has, to the NPS server or vice versa  ?  It seems the fact that the laptop have 2 certs in their personal store confuses the radius server.

    • Edited by Neeraj_Shah Tuesday, February 3, 2015 3:37 PM typo
    Tuesday, February 3, 2015 3:35 PM
  • Hello,

    Sorry to bump this, I am experiencing these same issues...did you find a resolution to this?

    Monday, October 30, 2017 3:09 PM