locked
PEAP TLS with Computer Cert and NPS? RRS feed

  • Question

  • I setup a Windows Cert server, and NPS server running Win 2008R2, in a
    AD domain.  I am trying to have my wireless clients use Computer based
    certificates, however my NPS server is not seeing it as a proper cert
    for authentication.

    I am able to issue a user based cert ok and it sees it, and
    authenticates just fine.  So I know there is no problems with the
    cisco wireless, or the NPS server as a whole.

    From what I have seen, to make a computer cert, on the PKI server, I
    right click on the "Workstation Authentication" Template, and create a
    new one, change permissions, the Subject name is common name (I have
    tried DNS and Fully Distinguished name as well) and make sure the
    alternate subject name is DNS.

    I then go into the CA portion and create a new certificate template to
    issue, I select the one I created.

    I then go to the client and request a new cert.  Select the cert I
    made, then restart wireless, but instantly it then comes up sayin that
    it is unable to locate a cert for the wireless network.

    I have been banging my head on this for sometime.  It must be
    something I am missing with the computer cert since I was able to make
    it work with the user cert with no problems.

    Thanks for any assistance!
    Tuesday, January 19, 2010 8:57 PM

Answers

  • Hi,

    Note that you must also install a certificate on NPS that has the "Server Authentication" EKU, which you can get by enrolling a Computer certificate. Are you using this cert with EAP-TLS or PEAP-EAP-TLS? Please let me know if you don't understand the difference.

    Some additional things to check are that both the client and server authentication methods match up, and that the client has the correct certs in Trusted Root Certification Authorities.

    What events are displayed on NPS? Please examine these events and verify that you are matching the expected connection request policy and network policy? Look under Custom Views\Server Roles\Network Policy and Access Services.

    You might have your policies configured a couple different ways. Did you use the policy configuration wizard, selecting NPS in the console tree and then picking "RADIUS server for 802.1X Wireless or Wired Connections" from the drop-down list under Standard Configuration?

    Please let me know how you have authentication configured on both the client and the server and maybe this will point to the issue you are having with a certificate.

    -Greg
    • Marked as answer by Mervyn Zhang Tuesday, January 26, 2010 11:53 AM
    Friday, January 22, 2010 9:50 PM

All replies

  • Sorry to hijack but I've been having the same issue, glad to see I'm not the only NPS noob
    Wednesday, January 20, 2010 6:52 PM
  • Hi,

    On the client computer, check to see that the computer certificate exists. Here is where to look:



    Note that this is in the Local Computer certificate store, not the user certificate store.

    If it isn't there, try to manually enroll the certificate. See below.



    If this isn't allowed then there may be a permissions problem. If you can enroll manually, then you don't have autoenrollment configured correctly.

    Let me know what you find out and we'll go from there.

    -Greg
    Friday, January 22, 2010 6:41 AM
  • Thanks Greg for the comment.

    I am able to request the certificate ok.  I see it in the store as a computer certificate, but it seems the NPS server does not see it as a authentication certificate.  I can request a User cert with no problems and then it will take it, and authenticate it to the WLAN with no issues.  If I only have the machine "Workstation Authentication", then it does not see it as a valid cert and I am unable to connect to that SSSID.

    Thanks for your comment!
    Friday, January 22, 2010 4:02 PM
  • Hi,

    Note that you must also install a certificate on NPS that has the "Server Authentication" EKU, which you can get by enrolling a Computer certificate. Are you using this cert with EAP-TLS or PEAP-EAP-TLS? Please let me know if you don't understand the difference.

    Some additional things to check are that both the client and server authentication methods match up, and that the client has the correct certs in Trusted Root Certification Authorities.

    What events are displayed on NPS? Please examine these events and verify that you are matching the expected connection request policy and network policy? Look under Custom Views\Server Roles\Network Policy and Access Services.

    You might have your policies configured a couple different ways. Did you use the policy configuration wizard, selecting NPS in the console tree and then picking "RADIUS server for 802.1X Wireless or Wired Connections" from the drop-down list under Standard Configuration?

    Please let me know how you have authentication configured on both the client and the server and maybe this will point to the issue you are having with a certificate.

    -Greg
    • Marked as answer by Mervyn Zhang Tuesday, January 26, 2010 11:53 AM
    Friday, January 22, 2010 9:50 PM
  • Sorry for my delay.  I did have the trusted roots setup right.  I was able to make it work with my User Cert. 

    I did a wireshark sniff on the laptop, and when I use the user cert:
    • I see the Cisco Controller do a EAP request Identity.
    • Then the laptop responds EAPOL Start
    • Cisco responds: Request Identity
    • Laptop responds to that.
    • Cisco Request PEAP
    • Laptop: Client Hello
    • Cisco: request PEAP
    • Laptop: Responce Peap
    • Cisco: TLS - Server Hello, Certificate Request, Server
    • Laptop: TLS - Certificate, Client Key Exchange, Change Cipher Spec
    • Cisco: Encrypted Handshake Message
    • Laptop: Responce Peap.
    Etc...  Then it connects.

    When I only have the Machine cert, I get the first 3 lines.  Then Cisco  keeps requesting, Identity 2 more times, then nothing.  Like the laptops has nothing to respond back with even though it has a Computer Cert.

    Weird.

    Thanks!
    Tuesday, February 9, 2010 9:54 PM
  • Hi!

    I have exact the same problem, everything works fine with user-cert but with only computercert it won´t work. Did you got a solution?

    Mikael

    Friday, October 11, 2013 12:52 PM