How to guide: Extreme Wireless authenticates domain computers using certificates (NPS/EAP-TLS)

  • 1
  • 8
  • Article
  • Updated 1 year ago
This is a quick "how to" for setting up your Windows domain laptops, tablets, etc. for authentication to an Extreme Networks WLAN service. The goal is to have an SSID that can be joined without the use of any password, or additional steps by the user. They will click on the SSID and go! For the connection to work - the device will only need to be a joined member of the domain. A certificate for the Computer itself is used for authentication without any user interaction.

This may not all be 100% accurate. Your mileage may vary! Many thanks to Ron D. and the community for all the assistance that lead me to a working solution.

Certain assumptions are made here:
  1. You are comfortable using Windows, and you are the Network Administrator. Or you know the Network Administrator very well, and they are okay with you making these changes.
  2. You run a Windows 2012 environment (2016 is similar enough though) with Windows 7 and Windows 10 laptops.
  3. You have access to Domain Controllers, and you are a Domain Admin.
  4. You have access to your Extreme Networks Wireless Controller(s).
  5. You already have a VNS configured and you want to use that (configuring a new VNS is beyond the scope of this how-to).
  6. You are testing this in a lab setting FIRST, before putting it into production (there are a ton of things that can go wrong on clients ... mostly from Windows 7 bugs).
There are several steps in this process (which should be performed in this order):
  • Install the Active Directory Certificate Services and Microsoft Network Policy Server (NPS) roles.
  • Configure a Connection Request Policy and Network Policy in Microsoft NPS.
  • Configure a Group Policy in Active Directory to generate Computer certificates and to *trust* your Certificate Authority.
  • Configure a RADIUS connection on your Extreme Wireless Controller (to connect to the Microsoft NPS server).
  • Create or configure a WLAN Service on your Extreme Wireless Controller to bring all these settings together.
Install the Active Directory Certificate Services and Network Policy Server roles.
  1. This server should be a domain member. Most people will install these onto an existing Domain Controller.
  2. Click Start > Server Manager.
  3. Under "Configure this local server" click Add roles and features.
  4. Click Next, leave the "Role-base or feature-base installation" selected, click Next.
  5. Leave the current server selected and click Next.
  6. Under roles, check Active Directory Certificate Services. When prompted asking if you would like to add the other related features, click Add Features.
  7. Under roles, check Network Policy and Access Services. When prompted asking if you would like to add the other related features, click Add Features.
  8. Click Next until the Next button is grayed out, and click Install.
  9. Once the process has completed, click Close.
Configure Active Directory Certificate Services
  1. In Server Manager, under Roles and Server Groups, click on  AD CS.
  2. A message will read "Configuration required". Click on this message, then click the corresponding action, "Configure Active Directory Certificate Services".
  3. In the AD CS wizard, click Next. Then check to select Certificate Authority and click Next again.
  4. Choose Enterprise CA and click Next.
  5. Choose Root CA and click Next.
  6. Choose Create a new private key and click Next.
  7. Leave the defaults (RSA, key legth 2048, has of SHA1) and click Next.
  8. Optionally change your Common Name. In some processes this name may appear to the client. It should be reflective of your domain or environment. Click Next.
  9. Increase the years, or leave at default (5) and click Next. Many will set this to 20+ years (lower security, easier administration).
  10. Click Next to accept the default location for logs.
  11. Click Configure to complete the process, then click Close when it's done.
  12. You can close the notification window, and then close Server Manager.
  13. Click Start. Type MMC, and tap Enter.
  14. Click File > Add/Remove Snap-in.
  15. Add Certificates (choose My user account) and click Finish.
  16. Expand Trusted Root Certification Authority > Certificates.
  17. Find your newly created certificate in the list. Right-click the certificate and select All Tasks > Export.
  18. Click Next.
  19. Keep the default of DER encoded binary and Click Next.
  20. Click browse and choose a location, and file name.
  21. Click Next, and Finish. Keep this cert for later when you create group policies.
Configure a Connection Request Policy and Network Policy in Microsoft NPS.
  1. Click Start > Administrative Tools > Network Policy Server.
  2. Expand RADIUS Clients and Servers.
  3. Right-click on RADIUS Clients and select New.
  4. Enter the DNS name of your controller in Friendly name (i.e. EWC, or EWC.mydomain.net). Enter the same name in the Address box.
  5. Choose the Generate radio button, and then click the Generate button.
  6. Click into the Shared secret box, select all text, and Copy the text. Paste it into Notepad to be used later.
  7. Click OK.
  8. Expand Policies.
  9. Right-click on Connection Request Policies, and choose New.
  10. Name your policy after your WLAN SSID to keep things simple. For instance "private".  Leave type set to Unspecified. Click Next.
  11. Click the Add button to Specify Conditions.
  12. Scroll toward the bottom of the list and choose NAS Port Type. Then check the box for "Wireless - IEEE 802.11", and Click OK.
  13. Click Next.
  14. Leave the default, Authenticate requests on this server. Click Next.
  15. Leave Authentication Methods unchecked and unconfigured, Click Next.
  16. Leave Configure Settings alone, Click Next twice, then Finish.
  17. Right-click Network Policies and select New.
  18. Name the policy the same as your Connection Request, and your WLAN SSID (i.e. "private").
  19. Click Next.
  20. Click the Add button to Specify Conditions.
  21. Scroll toward the bottom of the list and choose NAS Port Type. Then check the box for "Wireless - IEEE 802.11", and Click OK.
  22. Click Next.
  23. Leave the default of Access granted, and Click Next.
  24. Under Less secure authentication methods - uncheck everything!
  25. Click the Add button to add an EAP Type.
  26. Choose Microsoft: Protected EAP (PEAP) and click OK.
  27. Click to select your Microsoft: Protected EAP (PEAP) type in the box and click Edit.
  28. Note the certificate. This should be the certificate for this server. Click on "Secured password (EAP-MSCHAP v2)" and click the Remove button, then Click OK.
  29. Click Next twice to leave other settings at defaults. Click Finish.
Configure a Group Policy in Active Directory to generate Computer certificates.
  1. You need for your clients to trust your certificate authority. Since you made it yourself, this is not an assumption. That is, there is no Verisign or other external authority in this process. We can use Group Policy to fix that.
  2. Log into a Domain Controller, and click Start > Adminsitrative Tools > Group Policy Management.
  3. Right-click on your domain and choose "Create a GPS in this Domain and Link it here".
  4. Give the policy a sensible name (i.e. Trusted Certificates for 802.11x), and click OK.
  5. Right-click your new policy and Click Edit.
  6. Drill down to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
  7. Right-click in the empty space on the right and choose Import.
  8. Click Next. Then browse to the Certificate that you created earlier on your Active Directory Certificate Services server.
  9. Now, in this same Group Policy, drill down to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
  10. In the right pane, double click on Certificate Services Client - Auto-Enrollment.
  11. Change Configuration Model to Enabled. Check both checkboxes. Click OK.
  12. Now, in this same Group Policy, drill down to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings.
  13. Right-click in the empty white space and select "New > Automatic Certificate Request".
  14. Click Next.
  15. Choose Computer (the default) and click Next, then Finish.
  16. Close the Group Policy Management window.
Configure a RADIUS connection on your Extreme Wireless Controller (to connect to the Microsoft NPS server)
  1. Log into your Extreme Wireless Controller.
  2. Browse to VNS > Global > Authentication.
  3. Click New.
  4. For Server Alias, enter something descriptive, "Windows RADIUS Servername".
  5. For Hostname/IP, enter the IP address of the server.
  6. For Shared Secret, paste in the shared secret password that you generated in "Configure a Connection Request Policy and Network Policy in Microsoft NPS".
  7. For Default Protocol, choose MS-CHAP2.
  8. Click OK.
Create or configure a WLAN Service on your Extreme Wireless Controller to bring all these settings together
  1. Still on your Extreme Wireless Controller, click VNS > WLAN Services.
  2. Click to select the WLAN SSID that you created (i.e. "private").
  3. Click the Privacy tab. Ensure that WPA is chosen (NOT "WPA - PSK"!) and you are using WPA v.2 with AES Only. If not, make the needed changes and click Save.
  4. Click the Auth & Acct tab.
  5. Choose Mode 802.1x, and no HTTP Redirection.
  6. Under RADIUS Servers, click the Select Radius button. Choose the server you created in the last step.
  7. With this server now selected, click the Configure button.
  8. Click to select the Auth line, and some options will light up.
  9. Uncheck Use NAS IP address, and enter the IP address of the controller. This is what your NPS server uses to identify the controller as the "RADIUS Client".
  10. For NAS identifier, check to "Use VNS name". Remember that we assume your VNS name is your SSID, which is also the name of the policies on your NPS server. These must all match!
  11. Click OK.
  12. Click Save.
NOTE: If you have multiple wireless controllers, you will need to create additional RADIUS connections. Remember that your NPS server identifies the RADIUS client by IP address.

Before testing:
Make sure your Group Policy has taken effect. On the client PC, you can open an elevated command prompt and run "gpupdate /force". It is suggested that you reboot afterwards. Some have said that certificate authentication will fail if you don't reboot after the certificate is generated.

To test:
  • Get onto a client and try to join the new SSID. No additional configuration should be needed. The client will automatically determine that this is a certificate based authentication process, and that the Computer certificate will be used.
Troubleshooting:
  • If you are asked to put in a username/password when joining the network - something failed. We are not using usernames/passwords to authenticate in this scenario. Make sure you are a domain member, and that you have the group policy is applying the certificates.
  • The best sources of why it's not working are #1 - the Security log (in Windows Event Viewer) on your NPS server and #2 the client WLAN-Autoconfig log. To get there, open Event Viewer and expand Applications and Service Logs > Microsoft > Windows > WLAN-AutoConfig.
  • There are multiple known bugs with making this work. Notably with finicky Windows 7. It's best to Google these as you encounter them as everyone's environment is a little different. Or - post about it here and see if someone in the community can help.
SOME REFERENCES:
https://documentation.meraki.com/MR/Encryption_and_Authentication/RADIUS%3A_Creating_a_Policy_in_NPS...
https://support.microsoft.com/en-us/help/2494172/windows-7-does-not-connect-to-an-ieee-802-1x-authen...
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,806 Points 5k badge 2x thumb

Posted 1 year ago

  • 1
  • 8
Photo of Drew C.

Drew C., Community Manager

  • 40,858 Points 20k badge 2x thumb
This is exactly what a support "community" is all about! Thank you for putting this together and sharing with everyone!
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi Steve,

nice guide.
Maybe you got an idea, because I'm experiencing a problem:
We have printers for logistics, which are not domain-joined.

For normal windows clients, which are joined, everything looks fine, but I can't get the non-domain printer to work.

I verified the printer configuration with the second level support from the manufacturer and the colleagues from our PKI team double checked the certificate - everything looks fine, but there is nobody around, who knows things about NPS.

Do you maybe have an idea what the issue is?
NPS log says "Reason code 8 - specified user account does not exist", so it fails already with the connection request policy.
We also created a computer object in AD with a corresponding name, but I have no more ideas what to check.

Best Regards
Chacko