NPS & RADIUS Authentication with SmartCard RRS feed

  • שאלה

  • Working on a data switch for PKI Smart Card authentication using RADIUS to provide Authentication and Authorization to the CLI.   So not a PEAP, EAP, 802.1x type solution.    Client Access with return attribute that provides Authorization to the device.   

    The user name is taken from the Subject of the x.509 Certificate and what we are missing is what needs to be sent via RADIUS PAP/CHAP/MS-CHAP is the password.  I have seen a number of responses around the internet and here on TechNet.   None answer the question.    The certificate as the password is too big if NPS follows the RFC.   Smallest size would 2k and the RFC only allows 128 characters.   It would not be the private key, that would be something you should not be sharing and also too big.    So what gets sent as the password to NPS?   Is this even supported?       

    Note, RADIUS configuration was tested prior to activating smartcard authentication.   Standard user name and password works just fine and provides RADIUS return attribute that enables authorization on the networking device.    

    Windows Server 2016 Data Center

    Active Directory with SmartCard enabled on Users

    NPS Installed and Configured to support RADIUS Client Authentication and Authorization

    Third Party Data Networking device configured to use NPS as a RADIUS server for Authentication and Authorization.  

    יום רביעי 30 אוקטובר 2019 14:58

כל התגובות

  • Hi,

    Based on the complexity and the specific situation, we need do more researches.

    If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible.

    Your kind understanding is appreciated.

    If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.

    Best regards,


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact

    יום חמישי 31 אוקטובר 2019 08:25
  • Hello heliumCraig,

    Are you trying to develop/program an authentication mechanism? On the one hand, that is the only scenario I can immediately think of where one would need to be concerned with attribute types and attribute values in RADIUS messages, but on the other hand the suggestion that one could send a certificate or private key as a "password" speaks against this possibility.

    Some standard protocol/mechanism (perhaps EAP-TLS) will be needed to communicate and verify the certificate and prove knowledge of its private key. The various exchanges of information needed for the process are conveyed to NPS in RADIUS EAP-Message attributes - there will be several RADIUS message exchanges between the "data switch" and NPS (not just one exchange carrying anything recognizable as a "password").


    יום חמישי 31 אוקטובר 2019 15:34
  • Not trying to develop an application.   I am working on a data network switching device, the remote console access is authenticated and authorized through RADIUS for SSH access to the platform.  I was thinking about EAP-TLS but could find no reference that shows it could be used in that fashion.    typically see it with 802.1x for ethernet or wireless port authentication.    In this scenario for it to work the EAP-TLS channel will be between the switch and the RADIUS server (NPS).   Not by the client and the Radius Server.    SSH clients support passing a certificate for authentication but not EAP methods.     
    יום חמישי 31 אוקטובר 2019 18:44
  • Hello heliumCraig,

    Is this an accurate description of the situation?

    A client can connect to the "data network switching device" via a number of protocols such as SSH and Telnet. The "data network switching device" can be configured to authenticate these connections locally or to delegate the authentication to a RADIUS server (when possible).

    The "data network switching device" allows RADIUS to be configured as the primary password authentication verification method (for mechanisms such as PAP/CHAP/MS-CHAP(v2)), but makes no mention of delegating certificate based authentication to RADIUS.

    RFC 2865 (Remote Authentication Dial In User Service (RADIUS)) describes the attributes for conveying User-Password, CHAP-Challenge and CHAP-Password to/from the RADIUS server and RFC 3579 (RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)) describes the attributes for conveying EAP based authentication information to/from the RADIUS server.

    The is no documented mechanism for delegating RFC 6187 (X.509v3 Certificates for Secure Shell Authentication) authentication to a RADIUS server.

    You are correct that EAP-TLS is not relevant in this context.

    It is useful to think of this situation as two separate components:

    1. Authentication from client to "data network switching device". Which authentication options can be configured for this task?
    2. Verification of credentials by the "data network switching device". Which back-ends (e.g. NPS) can be configured for delegation of the verification process and for which type of credentials?

    I don't think that there is currently any configuration that will accept SSH certificate authentication and delegate the verification to NPS.


    יום חמישי 31 אוקטובר 2019 20:35
  • That's correct on the login part of your response.  One note on this, the data switch would validate the certificate on it's own through OCSP.   As you pointed out the RFCs don't cover what is trying to be accomplished through RADIUS.  once the user in Active Directory is flagged as smartcard, any password they had assigned is no longer valid.    So even prompting the user for a password to further authenticate would be an issue.  
    יום שני 04 נובמבר 2019 16:53