none
Step By Step Wireless Certificate Based Authentication?

    Question

  • I'm setting up a new Server 2016 NPS server that will be used for RADIUS wireless authentication based on user certificates.

    I have already added the role to the server and installed a server authentication certificate purchased from a widely trusted commercial CA.

    We will set up an internal CA that will be used to deploy certificates to users that they will install on their non-domain joined laptops and Android/iOS mobile devices.  Domain-joined laptops will autoenroll certificates and will use computer authentication to connect to wireless. 

    How do I create a policy on the NPS server that will allow user smartphone and non-domain joined laptops to connect to the wireless profile based on user certificate authentication?

    I'm looking for a step by step PEAP-TLS NPS wireless connection policy guide that applies to Server 2016 and haven't found one so far.

    Monday, March 19, 2018 5:38 PM

All replies

  • Hi,

    Have a nice day! Thanks for your question.

    The Microsoft Network Policy Server (NPS) can provide authentication and authorization services for users on a wireless network.

    Based on your situation, you may use the self-signed cert and wildcards cert for the wireless. Moreover, if the number of authenticated clients is large, I suggest you to use Wildcards cert for authorization and authentication. Self-signed cert needs to be imported into each client.

    Please try the following article and perform the implementation.

    RADIUS: Creating a Policy in NPS to support EAP-TLS authentication

    https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    New-SelfSignedCertificate

    https://docs.microsoft.com/en-us/powershell/module/pkiclient/new-selfsignedcertificate?view=win10-ps

    Regarding to Accepted wildcards used by server certificates for server authentication, please refer the following link:

    https://support.microsoft.com/en-us/help/258858/accepted-wildcards-used-by-server-certificates-for-server-authenticati

    Hope above information helpful.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards, 

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 20, 2018 9:43 AM
  • I don't understand the part about using wildcard certificates.

    Are you saying we should user wild card certificates for the users instead of giving each user a unique user certificate?

    Tuesday, March 20, 2018 2:12 PM
  • Hi,

    Have a nice day! Thanks for your question.

    The Microsoft Network Policy Server (NPS) can provide authentication and authorization services for users on a wireless network.

    Based on your situation, you may use the self-signed cert and wildcards cert for the wireless. Moreover, if the number of authenticated clients is large, I suggest you to use Wildcards cert for authorization and authentication. Self-signed cert needs to be imported into each client.

    Please try the following article and perform the implementation.

    RADIUS: Creating a Policy in NPS to support EAP-TLS authentication

    https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    m

    Some of the steps in the Meraki guide don't work.  There is is no "NAP enforcement" option to select.
    Tuesday, March 20, 2018 2:49 PM
  • What else needs to be done so that the NPS server trusts the user certificates presented by the clients and grants access?  Just add the internal root CA as a trusted root certification authorities or is there more to it?
    Tuesday, March 20, 2018 2:52 PM