locked
How to change CA cert on NPS without reinstalling the NPS RRS feed

  • Question

  • Hey all,

    I'm having an issue attempting to configure WPA2 Enterprise Wireless Network infrastructure. Allow me to give a little background before moving on to details;

    Recently following a cybersecurity assessment one of the findings was that my company uses weak WPA2 PSK wireless infrastructure so I had to change it. I'm essentially a one man IT Dept myself and my knowledge is up to MCSA level 1 on Win Server 2012 (I was told RADIUS is taught at level 2 or 3 which is already beyond me). Pardon me for being an idiot in this - all my knowledge on WPA2 Enterprise comes from online articles. 

    To the point,

    I did many trials and errors trying to get it up and running. I set up RADIUS server using Network Policy Server on Windows Server 2012 R2. I configured RADIUS client before knowing I need a Certificate Authority (CA) so I set that up too.

    At first I was setting up PEAP with MSCHAPv2 and all is well. The next move is I wanted to implement EAP TLS instead since PEAP with MSCHAPv2 isn't secure enough. 

    When it comes to certificates is when it started getting messy. I needed a IIS apparently, to host CertSrv website for client to request for certificates. I added the role but the CertSrv website won't appear on the IIS default webpage despite all my efforts. So I ended up uninstalling CA and reinstalling and reconfiguring the CA and now the website is working properly.

    However, my RADIUS server was configured using the old CA certificate and thus I cannot connect any client except those that had the old CA cert before I reinstalled my CA role. My CA server, NPS and IIS are all set up in one physical machine and I tend to get confused when it comes to certificates. 

    Is there a way to change the CA cert without removing and reconfiguring my NPS RADIUS server? I tried the configuration wizard for NPS  but it cannot detect the new CA cert. 

    For my testing AP I am using a Linksys router running on DDWRT. 


    • Edited by Justin LWC Thursday, July 19, 2018 10:29 AM
    Thursday, July 19, 2018 10:26 AM

All replies

  • Hi,

    Thanks for your question.

    Based on my experience, due to old clients trust old NPS based on the original Cert infrastructure, it only allowed old clients to connect. We need to re-issue certs for NPS server and all clients authenticated from the new CA.

    So please try to request the new root CA and its server certs on NPS and these old clients

    Highly appreciate your effort and time. If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 20, 2018 9:34 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 23, 2018 10:22 AM
  • Hi,

    How are things going on?

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 26, 2018 11:06 AM