This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- How to guide for Windows NPS certificate based aut...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to guide for Windows NPS certificate based authentication?
How to guide for Windows NPS certificate based authentication?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 02:20 PM
I am looking for a method of authentication for my Windows clients which does not require the use of a password. I would like to set it up so that if a device is a domain member, it's trusted to join the network. I think that I can do this with Computer certificates?
I have a Windows 2012 Server which is set up as a CA. And I have installed the NPS role. I think that I have come close to making this work - but I am completely lost in how to configure this. Starting with - what certificate am I supposed to use? Do I need to install that cert to the Extreme wireless controller?
Does anyone have a GTAC article or a how-to on how to set all of this up? If not - let's create one! There are way too many steps involved. And Microsoft's documentation is terrible.
I have a Windows 2012 Server which is set up as a CA. And I have installed the NPS role. I think that I have come close to making this work - but I am completely lost in how to configure this. Starting with - what certificate am I supposed to use? Do I need to install that cert to the Extreme wireless controller?
Does anyone have a GTAC article or a how-to on how to set all of this up? If not - let's create one! There are way too many steps involved. And Microsoft's documentation is terrible.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 03:06 PM
It would have to be auto-enrollment for me. In part, because I can't trust my help desk folks to do this correctly for every workstation in the domain. But also because I want to make sure that the only PC's placed on that network were put there because they are domain members. Not something that was manually added by a vendor (with help from a tech who shouldn't have helped!).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 02:36 PM
Hello,
What you're looking into is EAP-TLS authentication. I think I know the pieces that need to be in place, but I have never deployed this type of network, just worked within it to troubleshoot issues.
Windows Server 2012 needs to be a CA, but also much have a PKI infrastructure deployed with group policy that tells domain clients to request personal certificates.
When the domain machine is deployed it will contact the Server CA and request a personal certificate signed by that Certificate Authority.
Group Policy must also then configure the machine for 802.1x with Microsoft Smart Card/Certificate.
You may also want to configure RADIUS certificate validation settings through group policy as well.
Also, GP should push the root CA certificate to the client.
The way this authentication should work is when the machine is plugged into an 802.1x capable port it will negotiate identify and authentication method information. After which NPS should send it's RADIUS certificate down to the client for validation. The client must have the root CA that signed the RADIUS certificate in order to validate the certificate. Once this is completed the domain computer will send it's personal certificate to the NPS server, where the NPS server will attempt to validate the client certificate based on if the CA certificate that signed the client certificate is in the trusted root store of the NPS server.
I can provide NAC configurations required to get this to work if NAC is the terminating RADIUS server, but haven't actually set this up on Microsoft Server.
Thanks
-Ryan
What you're looking into is EAP-TLS authentication. I think I know the pieces that need to be in place, but I have never deployed this type of network, just worked within it to troubleshoot issues.
Windows Server 2012 needs to be a CA, but also much have a PKI infrastructure deployed with group policy that tells domain clients to request personal certificates.
When the domain machine is deployed it will contact the Server CA and request a personal certificate signed by that Certificate Authority.
Group Policy must also then configure the machine for 802.1x with Microsoft Smart Card/Certificate.
You may also want to configure RADIUS certificate validation settings through group policy as well.
Also, GP should push the root CA certificate to the client.
The way this authentication should work is when the machine is plugged into an 802.1x capable port it will negotiate identify and authentication method information. After which NPS should send it's RADIUS certificate down to the client for validation. The client must have the root CA that signed the RADIUS certificate in order to validate the certificate. Once this is completed the domain computer will send it's personal certificate to the NPS server, where the NPS server will attempt to validate the client certificate based on if the CA certificate that signed the client certificate is in the trusted root store of the NPS server.
I can provide NAC configurations required to get this to work if NAC is the terminating RADIUS server, but haven't actually set this up on Microsoft Server.
Thanks
-Ryan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 02:36 PM
Searching Google for "EAP-TLS NPS 2012" was a good start in the right direction! Thank you!
That and starting over on the NPS side of things. WAY too many little options there that will keep things from working. And MS just spouts an error and says "check your EAP logs". Those logs are absolutely worthless!!
That and starting over on the NPS side of things. WAY too many little options there that will keep things from working. And MS just spouts an error and says "check your EAP logs". Those logs are absolutely worthless!!
