How to guide for Windows NPS certificate based authentication?

  • 0
  • 2
  • Question
  • Updated 1 year ago
  • Answered
I am looking for a method of authentication for my Windows clients which does not require the use of a password. I would like to set it up so that if a device is a domain member, it's trusted to join the network. I think that I can do this with Computer certificates?

I have a Windows 2012 Server which is set up as a CA. And I have installed the NPS role. I think that I have come close to making this work - but I am completely lost in how to configure this. Starting with - what certificate am I supposed to use? Do I need to install that cert to the Extreme wireless controller? 

Does anyone have a GTAC article or a how-to on how to set all of this up? If not - let's create one!  :-) There are way too many steps involved. And Microsoft's documentation is terrible.
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,682 Points 5k badge 2x thumb

Posted 1 year ago

  • 0
  • 2
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,172 Points 5k badge 2x thumb
Hello,

What you're looking into is EAP-TLS authentication. I think I know the pieces that need to be in place, but I have never deployed this type of network, just worked within it to troubleshoot issues.

Windows Server 2012 needs to be a CA, but also much have a PKI infrastructure deployed with group policy that tells domain clients to request personal certificates. 

When the domain machine is deployed it will contact the Server CA and request a personal certificate signed by that Certificate Authority. 

Group Policy must also then configure the machine for 802.1x with Microsoft Smart Card/Certificate. 
You may also want to configure RADIUS certificate validation settings through group policy as well. 
Also, GP should push the root CA certificate to the client.

The way this authentication should work is when the machine is plugged into an 802.1x capable port it will negotiate identify and  authentication method information. After which NPS should send it's RADIUS certificate down to the client for validation. The client must have the root CA that signed the RADIUS certificate in order to validate the certificate. Once this is completed the domain computer will send it's personal certificate to the NPS server, where the NPS server will attempt to validate the client certificate based on if the CA certificate that signed the client certificate is in the trusted root store of the NPS server. 

I can provide NAC configurations required to get this to work if NAC is the terminating RADIUS server, but haven't actually set this up on Microsoft Server.

Thanks
-Ryan
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,682 Points 5k badge 2x thumb
Searching Google for "EAP-TLS NPS 2012" was a good start in the right direction! Thank you!

That and starting over on the NPS side of things. WAY too many little options there that will keep things from working. And MS just spouts an error and says "check your EAP logs". Those logs are absolutely worthless!! :-)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,040 Points 20k badge 2x thumb
Hi Steve,

I've done it more then once but only for my lab setup via web enrolment of the client certificates.

In an production environment that wouldn't be a good solution because you'd need to create a cert for every client by hand - instead as Ryan mentioned a automatic cert enrolment via Windows group policy would be a far better solution.

I'll PM you two documents but I'd suggest to get some help from a Windows expert on the topic if you plan to do it in an production enviroment.

-Ron
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,682 Points 5k badge 2x thumb
It would have to be auto-enrollment for me. In part, because I can't trust my help desk folks to do this correctly for every workstation in the domain. But also because I want to make sure that the only PC's placed on that network were put there because they are domain members. Not something that was manually added by a vendor (with help from a tech who shouldn't have helped!).
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,682 Points 5k badge 2x thumb
Thanks for the advice gentlemen. I think I may have finally got it working. I ended up starting over and deleting my "Connection Request Policy" and "Network Policy" from MS NPS and started over following this guide which kept everything very brief.

It also seems strange that I had to tie to policy to a certificate for the server itself. Not the certificate that shows as the root cert for the computer certificate (which was generated by force of a group policy). Absolutely nuts.

I am going to go back over this tomorrow and ensure that this is working as intended, and maybe write up some instructions on how to set this up from end to end.

And thanks for those docs you sent me Ron, those were quite useful!
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,682 Points 5k badge 2x thumb
Everything worked fine until I tried to repeat these steps on a second Windows 7 laptop. This time, I ran into a brick wall. After a lot of digging I found that there is some sort of bug where Windows 7 will not accept an "invalid certificate". I am not sure what that is about, as the certificate is indeed *VALID* (and it worked fine on another laptop running Windows 7). Searching around in forums, I found a ton of other angry people with this same issue. I am thinking that it's "invalid" because my root cert is from my own trusted server, and not a money grubbing Verisign entity.

If anyone should run into that, here is the hotfix link.
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,682 Points 5k badge 2x thumb
Not sure that I posed it in the right place, but I put a "how-to guide" together for anyone else brave enough to attempt this feat.

https://community.extremenetworks.com/extreme/topics/how-to-guide-extreme-wireless-authenticates-dom...