none
Does NPS use all root CAs for authenticating client certificates? RRS feed

  • Question

  • In NPS, if an EAP-TLS policy is configured for wireless clients, am I correct in assuming that any client that has a certificate issued from any of the built in root CAs (i.e DigiCert, Go Daddy, Verisign, etc.) would also be able to successfully authenticate?  Is there no way to lock down the policy to just authenticate clients with certificates issued from your internal CA?

    Thanks

    Thursday, August 29, 2019 9:53 PM

All replies

  • Hi,

    Thanks for posting in the forum.

    Please refer to the following link:

    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

    Best regards,

    Hollis


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 30, 2019 7:30 AM
  • Thanks for the reply.  The article states:

    With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:

    The client certificate is issued by an enterprise CA...

    So, it does seem that a client with a certificate from any commercial CA would be authenticated. This could be a huge security risk.

    This article does not address any way to lock down authentication to only your internal CA.

    Thanks

    Friday, August 30, 2019 12:47 PM
  • Hi,

    "any client that has a certificate issued from any of the built in root CAs (i.e DigiCert, Go Daddy, Verisign, etc.)"->

    About this sentence, I have some questions to confirm:

    1. Could you describe this sentence in detail, If you can, please take an example.

    2. Certificates have different features, for example: encryption, signature,etc. What does you need?

     Is there no way to lock down the policy to just authenticate clients with certificates issued from your internal CA?->

    Do you want your clients and server certificates issued from your internal CA?

    Best regards,

    Hollis


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 2, 2019 9:00 AM
  • If a PC has a computer certificate issued from a third party CA, say Go Daddy,  I'm wondering if it would be authenticated through NPS, using EAP-TLS, because Go Daddy is a trusted root CA.

    The question is, how do you make sure PCs can only be authenticated through NPS, using EAP-TLS, if they have a certificate from your internal CA, and not fro ma trusted third party Root CA.

    Thanks

    Tuesday, September 3, 2019 7:32 PM
  • Hi,

    You can configure on clients and NPS server to choose which CA to trust.

    Because I don't have the wireless environment, I snipped a picture of VPN client, it supposed to seem like the same as wireless, you can choose Trusted Root Certification Authorities.

    Best regards,

    Hollis


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 4, 2019 2:12 AM
  • That setting is used to set the CAs that the clients trust, not the CAs that the radius server trusts.

    I was able to find the answer in this post, thanks to Mark B. Cooper:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4bde6dc4-a514-4cda-a2ef-adc07d4b619a/8021x-certificate-authentication-with-other-certificates-for-nondomain-members?forum=winserversecurity

    Thursday, October 24, 2019 5:55 PM