none
How can I configure radius to allow a non-windows device to authenticate with a certificate?

    Question

  • I currently have a 2008r2 server with NPS acting as a radius server for our wireless network.  The existing rules are setup to allow access based on windows group membership.  I need to get a wireless jetdirect connected to the wifi network.  

    If I create a certificate for this device with key usage settings for client auth / server auth, can it authenticate to radius with that cert?  

    How would I set up a NPS policy to allow this device, since it's not a domain member and not a member of the windows groups?

    Friday, February 21, 2014 10:52 PM

Answers

  • Hi there -

    I asked the NPS team about this, and following is their response:

    *****

    Yes, it’s possible but it’s a very manual process.  I will give you the easy steps then the hard ones.

    Easy(relative):

    1.        Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
    2.       Export the cert with the private key
    3.       Import on all workstations/devices that require it.

    Pros:

    Relatively easy to create the cert and manage the account

    Cons:

    Single certificate used on multiple machines

    Certificate does not accurately reflect the name of the device

    Hard:

    1.       Create an account in AD
    2.       Issue a certificate from a template that allows the private key to be exported
    3.       Using name mappings, attach the certificate to the account
    4.       Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com
    5.       Install certificate on to target workstation/device

    Pros:

    Relatively, more secure than previous steps as you create a single account/certificate pair per device

    Cons:

    Not very manageable

    *****

    Thanks -


    James McIllece

    Monday, February 24, 2014 6:50 PM

All replies

  • Hi there -

    I asked the NPS team about this, and following is their response:

    *****

    Yes, it’s possible but it’s a very manual process.  I will give you the easy steps then the hard ones.

    Easy(relative):

    1.        Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
    2.       Export the cert with the private key
    3.       Import on all workstations/devices that require it.

    Pros:

    Relatively easy to create the cert and manage the account

    Cons:

    Single certificate used on multiple machines

    Certificate does not accurately reflect the name of the device

    Hard:

    1.       Create an account in AD
    2.       Issue a certificate from a template that allows the private key to be exported
    3.       Using name mappings, attach the certificate to the account
    4.       Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com
    5.       Install certificate on to target workstation/device

    Pros:

    Relatively, more secure than previous steps as you create a single account/certificate pair per device

    Cons:

    Not very manageable

    *****

    Thanks -


    James McIllece

    Monday, February 24, 2014 6:50 PM
  • Hi there -

    Following is some additional information I received today from the NPS team on this issue:

    *****

    You can make the hard option a little easier and reduce a couple of the steps by using a SAN entry in the certificate with a format of SAN:UPN=<hostname>$@<domain.tld>. This results in a certificate that has an NT Principle Name of <hostname>$@<domain.tld> in the SAN field which is then appropriate for authentication to the NPS as a pure computer object. The only dependency is then the creation of a computer account in Active Directory and adding it to the respective groups for AuthZ.

    I’ve used that approach for 802.1x authn/authz of non-domain joined machines, the biggest pain still being cert enrolment and transfer element, although the use of NDES/SCEP can make that a little more palatable (if appropriate for the devices in question).

    Thanks -


    James McIllece


    Thursday, July 10, 2014 7:50 PM
  • Hi! I know it is old question, but how should SAN looks like for computer1 in domain contoso.local for example.

    UPN=computer1$@contoso.local 

    ?



    • Edited by Mikhail_Sol Thursday, October 22, 2015 6:54 AM
    Thursday, October 22, 2015 6:50 AM