Haven't watched the video yet but, would something like exclusively EAP-TLS auth work in combo with Cisco ISE and InTune for mobile devices, e.g. iPhones/iPads? Looking for a way to implement that as it seems like a cleaner way to auth and less likely to cause those pesky lockouts when people forget to change their password on the radius side of things.
I was actually thinking about that recently. I am going to be looking into Azures MDM to see if I can accomplish getting enrolled devices an assigned certificate for usage with EAP-TLS. I know Apple devices are capable of it up to TLSv1.2. I have not implemented it before but will let you know if I get it figured out. The company that I am looking at this for has an E3 license which is a little more limited than the E5 with InTune so it may or may not be possible with that license.
@@OsbornePro we do have intune licensing, my challenge is going to be around spinning up a trial Cisco ISE (staying away from prod for safety reasons), crossing fingers for smooth sails.
@@OsbornePro btw, this still does not address an Evil Twin attack correct? I'd imagine this protects the authentication piece, but everything will not be tunneled.
@@tacom6 That is a good question I should have thought to include when setting up the AD wireless profile. If the users do not have the ability to accept new certificate changes an attacker will be required to have a certificate issued by your environments CA in order to successfully set up an Evil Twin. The wireless profile we set up in Group Policy is where we select the allowed Issuing CA certificates. If the users are allowed to accept certificate changes it is possible for an attacker to create an evil twin with a certificate they create. Defining our trusted CA’s should provide another layer of protection to that setting. The private key on the target users computer will never leave that device so the attacker is not going to obtain the targets private key. The most the attacker could do is offer internet. They would not be able to connect to the domain network in that situation. They may try to compensate by creating a splash page that asks for the users credentials. In summary no it doesn’t prevent Rogue APs but it does make it significantly harder to make anything out of that approach.
These kind of videos are a god send for all of us 'jack of all trades, master of none' IT workers. Superb level of detail and information. Brilliant. Many thanks.
I did not have the best foundation to follow this video but the time taken to tear into this has been invaluable. Thank you for the time taken to set this up. Without going into detail this is incredibly helpful for a situation in my professional life. Thank you again for the resource to build understanding on top of.
I'm not sure if this will help anyone or not, but standing this up and trying to troubleshoot where the communication was breaking. Wireshark, event viewer on both ends, looking into C:\Windows\System32\LogFiles for successful or failed authentications. I hadn't configured the server to log successful/failed login attempts. Once I had made the correct change on my switch, I wanted to verify the NPS was authenticating correctly. mmc.exe>group policy object editor>local computer>local computer policy>computer configuration>windows settings>security settings>advanced audit policy configuration>System audit policies - Local group policy object>Logon/Logoff>Audit network policy server. Enable this for success and failure if you're still testing everything.
Hello Dear Robert! Thank you for the very useful video! Following your configuration for the Machine. authentication, I have faced two issues. Radius server doesn't allow to authenticate any devices if we select a network authentication method as "Smart Card or other certificate" following the path (the same as on the video): Edit GPO Policy -> Сomputer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network Policies (IEEE 802.11)-> MyNetworkPolicy -> Select Profile Name and click 'Edit' -> Security Tab -> Select a network authentication method: Smar Card ar Certificate. In this case, all settings are made for machine authentication only. But when I selected "Protected EAP" for the WiFi enrollment, the configured WiFi network is asking user AD credentials to allow connection even if I have 'machine authentication' only. Could you you please give me any advises how we can remove user credentials request if I select "Computer Authentication"? Thank you so much! Regards, Yury
Thanks for watching! If you select PEAP they will be prompted to enter credentials. Use Smart Card or Ofher certificate and Computer Authentication in your settings. Also select the certificate authority so it knows the certificate to auto-choose.
Excellent content, no messing about straight to the point with plenty of useful information. I am currently configuring RAS/NPS for VPN authentication and this really helps to understand the process.
Thanks for watching! I do not have a video like that. You want your CA to not have any other services on it. It should just do CA stuff. The best practice that is rarely followed is to have an offline root CA server non-domain joined. Then have an Intermediate CA attached to that which is domain joined. Require NTLMv2 authentication to it. Use SMBv2 and v3 with required signing. Biggest threat to your domain with a certificate authority are Certificate Templates. The guys who wrote an exploit tool called Certify have a white paper that is well worth the read to see the do not so certificate template making. You can run the tool to discover vulnerable certificates on your CA if you are ever unsure
Don't forget to check your firewall rules on the NPS server. I just spent a day banging my head against a wall after my A/V software was silently re-enabling Windows firewall on me. WireShark was showing radius packets come in but I saw no events show up in the NPS logs. Opened up the NPS ports on my firewall and now I can connect to the corporate Wi-Fi.
That sounds frustrating, definitely need the firewall open. That is pretty crazy, the firewall rules gets created automatically when installing the NPS role on the Windows Server. What AV software is doing that too you?
Question. The step where you create the RADIUS template in the CA template manager. What is the purpose of distributing that machine certificate to all machines in the environment? I don't see any further mention of it in the video and wonder what purpose it serves? I suppose if you point to the cert anywhere in the NPS network policy creation or in the group policy setup and certs in the chain (the machine RADIUS cert) are subsequently accepted as well? Thanks!
Thanks for watching! The RADIUS Client authentication certificate can be assigned to any security group you want. It is best to create a RADIUS Devices security group in AD. It does not necessarily have to go out to everything. The RADIUS Server one will only be distributed to servers with the NPS ability. The root ca certificate needs to be distributed to everything for trust purposes. If a certificate isn’t trusted the connection won’t connect without extra steps that are bad for security. I think I answered the question. Let me know if I can provide any more info
Great video! Very detailed and simple to follow. I have successfully set this up and is working with our domain joined devices - thank you! However, what could I do to implement this onto non domain joined devices such as iPads. In my org we have 3 groups of iPads all requiring different vlans for internet filtering. I would like to use EAP-TLS so no end user authentication is required.
Thanks for watching! What I have found with non-domain joined Apple devices is they require a non-domain joined Root CA with a domain joined Intermediate CA. The non-domain joined Root CA is for issuing certs to Apple devices not on the domain. The domain joined intermediate is for auto-management of the Windows RADIUS client certificates. Of if you have something like Cisco ISE to act as a CA that issues certs to those devices that can work. If you just have a domain joined Root CA that assigns a device certificate to a non-domain joined Apple device, the authentication fails saying no matching account could be found. I have tried creating dummy accounts etc but nothing worked for me.
@OsborneProLLC Thanks again for a really great and useful video. We have it configured in the way you explained and it works perfectly for Windows machines. Is it possible to also get Macs working under the same RADIUS/NPS? I know that Macs can't receive group policy so part of this will need to be done manually, but do you know the procedure for the Mac to be able to request / receive the certificate and once installed, will the wifi just work if they click on the SSID of the network?
Thanks for watching! Glad to hear it. Yes it is possible to get Macs working under RADIUS/NPS but it is not possible to use EAP-TLS with the configuration I demonstrated. You will require a stand alone/non-domain joined Root CA to issue certificates to your Apple devices. If you use a Standalone Enterprise CA that is domain joined, the certificates can be assigned but when authentication comes around the auth request gets denied saying the user does not exist. I tried creating a user MACDESKTOP01 and MACDESKTOP01$ for example in Active Directory and still received "user does not exist" results. The way to rectify that is with a non-domain joined Root CA. The Subordinate CA can be used to auto-manage the Windows certs still. To reiterate, this is for EAP-TLS authentication. If you decide to go with PEAP user authentication then yes the setup in this video will work. PEAP requires the Mac users to login at least once and only one PEAP certificate can be issued so the users would need to manage their own certificate and move it between devices. EAP-TLS would allow any managed device to authenticate without the user entering credentials.
Great content my friend. I have a question - according to a lot of Microsoft documentation, the EAP-TLS protocol has a requirement that the issuing CA certificate of your client certificates is stored in the NTAuth certificate store in order for authentication to work with this protocol. My understanding is that NTAuth certificate store is replicated from the Configuration partition of your AD forest, however I'm unsure if populating that object with issuing certificates is a manual process, or if it should be automatic when a CA is built. Do you happen to have any experience in dealing with that?
Thanks for watching! When you set up an Windows Server Enterprise Root CA the information for the CA gets placed into Active Directory. If you have run the configuration of the Root CA role on a Windows Server a couple times you may need to make some adjustments in Active Directory to ensure the correct Certificate Authority is defined. The issuing Root Certificate Authority's certificate is not automatically trusted. The Root CA certificate is trusted by the clients and the NPS server because it was pushed out to the trusted store using Group Policy. The NPS server needs to trust the issuing authority as does the supplicant. If a machine is not domain joined you will need to manually trust the Root CA. In case you need some commands # Publish Root CA Cert to NTAuth store certutil -dspublish -f RootCA.cer NTAuthCA # View content in NTAuth in AD DS certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=com" qa.social.technet.microsoft.com/wiki/contents/articles/3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx?PageIndex=1
Hi Rob. Fantastic video! Thank you for taking the time to make it. It really helped me while setting up EAP-TLS. I have a question that im struggling to find the answer for: Is it possible to set up EAP-TLS for User and Computer authentication? I.e. at the login screen, the computer authenticates to the network using its computer certificate, then when a user signs in it reauthenticates against the User certificate? Ideally I'd like user authentication as well for better auditing, especially on shared computers, but using User only authentication is a chicken and egg situation as they can't authenticate on to the network to get their group policy and cert via autoenrollment. I've deployed a User cert as well as Computer cert and set wireless Group Policy to use User or Computer authentication. Computer authentication on the login screen works fine, but as soon as the user profile loads, network connectivity is lost.
Thanks for watching! Appreciate the kind words. There is not a way to do the method you are thinking but you can use PEAP for authentication instead. The certificates assigned to the user create the EAP-TLS tunnel. The user than authenticates using SSO or their credentials. You want to use MSCHAPv2 which is used to encrypt the credentials and send them through the EAP-TLS tunnel. To do this you will need to deploy a user certificate used for PEAP authentication. You need your Network Policy using PEAP instead of Microsoft Smart Card or Certificate. You do not need to check any boxes where you see PAP and MSCHAP CHAP and MSCHAPv2. The auth method you use is selected when you select “PEAP” and then click Edit. There is a drop down there for MSCHAPv2. That is basically the only difference in your config setup.
@OsbornePro TV Thank you, Rob, for the helpful reply! In your professional opinion, which one would you consider the better option? EAP-TLS with computer authentication (Pros: more secure / Cons: can't audit which user was connected to the network on the computer and cant block user access without blocking computer) or PEAP (Pros: can audit network usage by user and block a user access without blocking the entire device / Cons: Less secure?) Also, do you have any experience/tips/advice for auditing user network usage for devices that are solely using computer authentication with EAP-TLS?
@@GrindhouseJames I prefer EAP-TLS with devices if the users are assigned their own desktops and laptops. If someone gets fired or whatever you can disable their account in AD and their devices certificates. I prefer to avoid PEAP when possible because I know how to exploit it to steal credentials. It’s more a personal comfort thing. Someone smarter than me may figure out ways around the methods used to lock it down. PEAP is still considered a secure means of doing things and would pass a security audit. Your pros and cons are accurate. If it makes more sense for your situation I would use it. There are clients I have worked with where PEAP made more sense. Another thing to keep in mind is a PEAP certificate has only one issued per user. If a user has a desktop and a laptop the user needs to know how to set up the cert on their other devices. The RaDIUs accounting logs are supposed to be a good way of auditing network usage if you have multiple clients using internet. Utilizing a SQL server for that if you expect heavy logging is the way to go there
This is an outstanding video with very through explanation on how and why to setup certificate based authentication using Network Policy Server and Group Policy via Windows Server 2019 for wireless connections. Might you be able to cover doing the same for wired connectivity as well? Thanks.
Thanks R H, glad you found it helpful! :) I appreciate the feedback. I was hesitant to include that in this video initially because I felt like I was assuming a lot without a WLC. That has not seemed to take away from the content of the video. I can do a part 2 kind of video for this where I add wired to the configuration and create the IEEE 802.3 group policy. I will also include how to configure 802.1X on a Cisco switch so we can add it as a RADIUS client on the NPS server. I did not create a Security group in AD for the RADIUS clients so I will demo that in the new video as well. Will that be what you are looking to see?
Thanks for watching! Yes you can however you need a Root CA that is not domain joined to issue those certificates. Or what I have not tested is using SCEP to assign certificates to non-domain joined devices
Do you not have to reference the RAS IAS cert in the network policy? I noticed you added smart card or other certificate as the EAP type but never edited it to choose the cert.
Thanks for watching! A valid certificate is typically selected automatically however, its not perfect. Yes you should select the certificate to use on the RADIUS server in the network policy. I forgot to cover this in the video. I updated the description of the video to make mention of this in case someone reaches out to me having that issue. I can also get a quick copy paste responding to emails.
It is a very informative video on the MS NPS EAP-TLS setup but some how I still can't get it to work. I am working on setting up EAP-TLS authentication for Wireless Access Point. I followed a different guide I can get endpoint to use Current User Certificate to successfully authenticate to NPS. I followed your directions but when I setup GPO to try get it use computer certificate it fails to connect. Any chance you might know what have I missed?
Thanks for watching! What is the error message you are seeing on your NPS server in the Event Viewers custom log for Network Policy Service? At the bottom of a denied event it will have a message that will tell you if there is no matching Network Policy or Connection policy. It will also let you know if a user was not found. Because the user certificates work I think it is safe to assume your RADIUS server certificate is good and clients authentication requests are reaching the NPS server. I would think what needs to be looked at is why they are being denied. If you find they are not getting there let me know. Feel free to send screenshots of your config to info@osbornepro.com and I can take a look to see if I see anything. Also screenshots of your GPO profile would be helpful.
Wow awesome tutorial! Just want to ask what is the best practice to migrate from mschap to eap-tls? Is it also possible to run both protocols on a single ssid? I want gradual change from mschap to eap-tls. Hope you could tell me some steps please. Thanks so much!
Thanks for watching! Unfortunately no you are not able to use WPA2-Personal and WPA2-Enterprise on the same SSID. However both connection policies can exist on a device at the same time. You can enforce which SSID connection is used via GPO. A new SSID will need to be created for the migration. To migrate from PEAP using MSCHAP to EAP-TLS I would do the following. 1.) Create a security group to test your laptop out in. Name this group whatever you want the Production name to be. Test one laptop at first but add everything to it when ready. 2.) Verify your device has an EAP-TLS certificate assigned to it like you would have created with this video. 3.) Create a new SSID to use WPA2-Enterpise authentication with 4.) Modify your laptops GPO policy so it gets the new SSID wireless profile. The old one can still exist and can be left as the default until you are ready to test your new policy. When the new wireless GPO policy applies you will likely need to reboot the device. Some but not all of the settings in the SSID policy require a reboot and we don't want to leave anything to change in case you require a change that needs this. "gpupdate /force /boot" will NOT see a reboot is required for the settings to be updated. If you are enforcing that policy to be used you will not be able to reconnect to the WiFi until the next step is performed on the NPS server. 5.) Duplicate your Connection Request Policy and Network Connection Policy on your NPS server and modify it so the Security Group your laptop is now a member of has the policy applied to it. Also use the EAP-TLS connection settings. 6.) Move the newly created policy to the top of the processing order in your NPS server. Double check that no other laptops will accidentally receive your new policy before you 7.) Enable the duplicated modified policies. 8.) Update your GPO settings for your laptop to use the new wireless profile and verify it connects okay. If successful you can move say another 10 devices into the same policy. Check last reboot times on the 10 devices to ensure they get the new GPUpdates applied. Then move them into the security group in AD which gives them the new wireless SSID profile that they get forced to connect too. If those 10 devices work without issue I would go large scale and wait say 1-2 weeks to ensure all devices have been rebooted to get their new gpupdates before moving them into the security group
Hello, I have a problem with EAP-TLS. Client (Windows 10) does not send when trying to connect via eap-tls with machine authentication. However, it works when eap-tls is tried with user authentication. When I check, both the user certificate and the machine certificate are present in the client. My question is why client does not send any log when it was trying connection.
Thanks for watching! In the client network connection profile (windows 10) you can select whether to use a computer certificate or user certificate. Verify the computer option is selected. The other thing to look at is the NPS server Network Connection Profile to make sure the correct group is assigned and verify Smart Card or other certificate is being used. If you want to take screen shots of your config and send them to info@osbornepro.com I can take a look.
Thanks for reply! I selected to computer authentication and i dont use NPS server.(İ use freeradius) İt is weird when i try user authentication eap-tls or eap-peap it works but when i try computer it is not working. @@OsbornePro
I have a question: I have a lab setup in our office where in the infrastructure is wireless but with only an Active Directory Server, no CA and RADIUS Server. The current scenario of the lab is that users/employees login to their company laptops(already joined in the domain) using their domain user account and can connect to the office network/WiFi because I shared them the password. Employees' personal computers(not joined in the domain) can access office network, as long as they know the Wifi password, and can write stuffs in File Server because they can use their domain user account. I understand in the video that when I apply all of it (CA, RADIUS with EAP-TLS) to my current lab setup, company laptops will not be disconnected to the office network because GPO for machine authentication will be enforced to them and that will be the reason they can connect to the wifi. Personal computers cannot connect anymore because Wifi requirements is not a password anymore, but a machine certificate. Is my understanding correct? - this is the first question haha 2nd question. Now, what if I have a brand new company laptop that I want to join to the domain, i cant join it now because it cant cannot to the wifi. If the case is this, then Ill need to connect to the office network via ethernet port now? so that I can join the new company laptop to the domain? I hope you find this comment, Thank you very much for uploading this gold video!!
Thanks for watching! For your first question, your understanding is correct. If you modify your SSID to require RADIUS authentication, only devices with the EAP-TLS certificate you setup can connect to it. Personal devices will no longer be able to connect. If you create a second SSID, leaving your original WPA2-Personal setup and creating the new one to use WPA2-Enterprise (RADIUS), then no-one will be disconnected from the SSID currently being used in Production. WPA2-Enterprise will prevent users from connecting with their personal devices. Second Question: Correct you would need to set up the laptop by plugging it in via Ethernet in the office which can be beneficial if you have a PXE scope. You could also assign your admins a PEAP certificate to use that allows them to get things set up over WiFi initially. Otherwise you wont be able to connect to the WPA2-Enterprise SSID with new laptops. Microsoft Intune could also be used to assign certificates if you have a proxy set up for SCEP certificates and Wireless profiles configured. This would allow you to connect to Guest WiFi while still receiving configuration and a certificate via the WAN instead of the LAN.
thank you for this video. helped me alot to configure eap-tls. do you have experience how to implement it with cloud windows 11 devices? how can the clients check the ca-certificate, when they are cloud only? thanks
At 23:02 when setting up the network policy and after you chose smart card or other certificate what certificate is your radius server using? I ask because when I set my radius server up I loaded up the MMC and went to the computer certificate store on the new radius server. Under personal I made a request for a certificate and just pulled down the same Radius Client Server certificate I will be using on my client/supplicants. Is this ok to do? On my radius server if you go to the network policy at 23:02 in your video under EAP Types I am using Smart Card or Other Ceriticiate but if you click the edit button you can see its using that certificate under the computer - personal store which is the same certificate my clients will be using for Radius authentication via the wireless? Is there an issue with that or whats the best practice?
Thanks for watching! The certificate I select I have had to choose by its expiration date. I use the RADIUS Server certificate template for that. In this video I made a cert that could be used by both the server and client. In this case I would have selected that one. It is okay to do. For least priv purposes it’s best to have a separate template for server and client
@@OsbornePro Appreciate the feedback. I was not 100 percent sure. I thought it might be best to just setup a cert template for just the radius server that way its not using same cert the clients are using as I currently have the validity period set to 3 months and the renewal period set to 2 months. It may cause issues once I deploy to production if my radius server cert is using the same as the clients.
Hi. I know this video is old. But thanks for all your effort. But I also have a question? If you do a failover radius or npas server? Wouldn’t the clients always have to re trust the WiFi certificate if they authenticate on a different server? I have 2 radius servers going. My second one is just for backup. But every time I authenticate thru the second radius server I have to Tetris the WiFi certificate. Does that sound right? Thanks
Lol I didn’t realize the video was old until you stated that. It is old now isn’t it. I don’t think I understand what is happening, You probably have an NPS server with a couple RADIUS servers behind it and one of those RADIUS servers also acts as the backup NPS server. Or something close to that. The RADIUS server certificate should be from the same CA so the trust of the Root CA should be good. Once the client authenticates to one of the servers the connection is up. If they reestablish a connection with the backup NPS server it shouldn’t cause any downtime or create new certs. Are both NpS servers defined in the group policy wireless profile? The subject CN of the certificate is case sensitive and needs to match the FQDN of the RADIUS server. That server will need to be defined in the clients RADIUS profile which I would treat as case sensitive just in case. Maybe the second NPS server needs its RaDIUS server certificate assigned and an auto selected one is not the one you are expecting
I exported the certificate from the CA and imported in to my second radius backup server. I watched both your full videos. You setup yours different then I did. I wish I could show you. If I could some how send you screenshots or pictures. I have my setup almost 5 years with multi vlan authentication. My only issue I have if I use my backup server. Clients have to re trust certificate on second backup server
@@jacobstahl7467 On your NPS server the RaDIUS server certificate I am thinking of you may need to set is in the network policy. In the section where you select Microsoft Smart Card or Other Certificate. Select that option and click Edit. Then verify using the expiration date of there is more than one certificate option that your RADIUS server certificate is being used and not a self signed one. Or have you been able to verify the certificate is good already?
@@OsbornePro yeah the certificate is still good. I have it to expire in 20 years. Even though I know I’ll do hardware updates before that. I just set it expiration to 20 years. Your setup is different then my. I noticed you authenticated with just the certificate But I have about 18 vlans on my network and I’m authenticating users via username and password. And whichever group the the users are in. The are connected to that specific vlan. And I select my certificate for WiFi under Network Policy Server> Network Policies> (the custom policy I created for vlans)> Constraints> Authentication Methods> then on right window I select Microsoft: Protected Eap(Peap) then I click edit. This is the place I select my certificate. And noticed your doing it in group police manager, where I’m doing it under NPAS> network policy server. I hope I make sense
Good day, excellent content that I have used in the past. Nevertheless, I have a question regarding your configuration at 13:28 regarding priority and weight. A priority of 1 & 2 would forward all requests to server with priority of 1. When server with priority of 1 is unavailable then it would be sent to Server with priority of 2. Since there is a weight of 50% associated with either server, would all requests be sent when server with priority of 1? Also, if server is unavailable would it be able to forward requests?
Thanks for watching! So yes all requests would be sent to priority 1 server unless that server is overloaded. The NPS proxy you set up sends connection requests to the RADIUS server with a priority of 1 first. If servers with priority 1 are not available, NPS sends requests to servers with priority 2, and so on. I don't remember what I said in the video but I think later I learned after this video that when you assign the same priority to multiple RADIUS servers, and use the "weight" value, you load balance between them. When you assign different priorities it acts as a fail over. So if priority 1 server is not available (gets a connection timeout from drops or timeout settings) it goes to priority 2 server
Thanks for watching! In the video after we created the computer certificate templates and set up group policy, the certificates then started being deployed automatically via group policy.
@@OsbornePro Wow! Replied in less than an hour! Thank you! In my case, I don't think I can do the auto deployment because my wireless client PCs are not on the same domain as the RADIUS server domain controller. Is there a way to manually generate and deploy the client and server certificates?
@@gilgamesh822 if you have another domain you can trust the root CA certificate that assigned the RADIUS server certificate. Then the second domains clients will be able to trust that NPS server certificate. The NPS server can be set to trust the second domains CA. Then your authentication will still happen to the one server. That lets that domain manage its own certs. Otherwise as a manual process you could script the manual assignment of the certificates or open certlm.msc with admin permissions and request a new certificate for each device individually. Then create the wireless or wired profile manually on each device in Control Panels Network Manager for an interface.
Does anyone know if there is a way to use a Windows Network Policy (RADIUS) server to authenticate users on a different trusted domain? We are using Meraki APs and it works fine on the first domain, but when I copy the GPO to the second domain, clients are not able to connect to the Wireless network. If not, I could add an NPM server on the second domain and give them their own SSID, but that solution won't work if I push this down to switch ports.
Thanks for watching! I would be curious what you do for this. If you are using PEAP I would think trusting the Root CA and a domain trust would be required between the two domains so the user accounts can be found. For EAP-TLS you probably need a non-domain joined CA to issue certs to both domains in order to accomplish that
Excellent video! I echo all other commenters that I appreciate your thoroughness and getting right to the point. I am having an issue I wonder if you can point me in the right direction. I am getting the certs deployed fine and the endpoint connects just fine. Seems to me the most important piece of being able to use EAP-TLS is the process of certificate revocation to disallow an endpoint from joining. When I revoke a certificate, the endpoint is still able to join. I run powershell from the NPS and it sees that the cert is revoked. What am I doing wrong? Thank you again!
Thanks for watching appreciate the support! That is interesting, sounds like the CRL is not being checked based on your actions so far. Can you check the registry setting on the NPS server and verify none of the below registry values are set to 1. If a -Name value does not exist you will likely return an error message which is expected and can be safely ignored. It might be useful to set all these reg values to 0 and restart the server so you manually are telling the server perform the checks. Registry Path EAP Extension HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 EAP-TLS HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25 PEAP HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\26 EAP-MSCHAP v2 Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name IgnoreRevocationOffline Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name NoRevocationCheck Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name NoRootRevocationCheck REFERENCE: learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771995(v=ws.10)?redirectedfrom=MSDN
@@OsbornePro Thank you! The response in the first query was for an incorrect string, so I don't think that one exists. Double-checked spellings and used tab completion and up arrow for the last two commands. Last two queries were 0 for the value. UPDATE: I stand corrected. I just now understood your ask. I have used all three queries now in all three paths (9 total). The last two queries resulted in a '1' value in the '25' path. But since that is not in the EAP-TLS path, will it make a difference? I set those values to 0. Waiting to hear from my sysadmin if I can reboot the server.
@@scottfuller2449 I apologize I am not always good at communicating what I am thinking. Change those values from 1 to 0. You may need to restart for those values to apply. The 0 says to use CRL checks with PEAP authentication. If that still does not work my next check would be to verify what certificate the client is presenting. I would change the client profile in the Control Panel network device settings so it allows me to select what certificate I want to use to verify there is not another cert being presented that works
@@OsbornePro You have no reason to apologize! You communicated it very well. I am waiting to do the testing after setting those values to 0. But since that wasn't in the EAP-TLS path, I don't understand how it will help. But that doesn't mean much either. Certificate knowledge is like fairy dust to me. I don't understand them very well or the complex process. I will report back. Thank you so VERY much for your responses and help thus far!
@@scottfuller2449 thanks no problem. I am doing that just to cover all basis. If you are using EAP-TLS it should not affect it. I want to make sure that is not it
Great tutorial! Instead of doing the GPO part, I want to deploy via Intune. I found the Wi-Fi config profile to deploy, settings look similar. Is there anything different I should do to get this to work?
Thanks for watching! The only thing I think is worth mentioning would be; Where are your certificates being auto-deployed from? If remote devices have their certs being deployed from your Root CA server to the client machines automatically and you know the remote devices will be forced to connect to the VPN fairly often you wont need to do anything else. If the remote devices are not usually connected to the VPN or domain joined you will need to set up basically a proxy to your Root CA that issues SCPE certificates. learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure Your other GPO settings being deployed from Intune do not matter where they come from
Do you know why the client is getting a "Computer" template cert as well as the one created? Also why it says "Server Authentication" as well as client authentication?
Thanks for watching! If a user is getting a Computer template certificate assigned to them it is because they have permissions to that template and the auto-assignment in group policy thinks that means they should get one. I can’t picture another reason for that but it is possible there is something I’m not thinking of. In the video I just used one certificate for the radius server and radius supplicants. If you want to create a Radius Server certificate you can duplicate the “RAS and IAS” template and change the security permissions to your radius servers security group. For radius supplicants you can duplicate the Workstation certificate which I think I used in the video. With an EAP-TLS connection the client validates the server and the server validates the client as opposed to the client only validating the server. I believe the server validating the client is the reason for Server Authentication.
Pal, loved your content but I have a question. I have windows server 2012 and I don't have the encryption AES-CCMP under wireless network Group policy. I only have AES. my computer can't connect using my certificate. Would that create an issue? Thank you!
Hey thanks for watching! AES-CCMP came out with WPA2. My assumption is that AES means the same thing. It may show as AES-CCMP in newer OS versions because AES-GCMP was released later. I forget if I covered it in this video or not. if you check the box in your group policy client profile to verify your servers identity and define the server to connect too, the value you define is case sensitive and needs to match the subject name value of your servers RADIUS server certificate. Uncheck that box in the client profile to see if that is the value preventing your connection. Check the NPS logs on your RADIUS server to see if your radius server is receiving and rejecting the request as it will give you an idea why it was rejected. If it is not rejecting the request check your supplicants event logs under EapRas-Tls for EAP-TLS and CAPI2 for SSL errors. If you run packet captures you want to analyze EAPOL packets on the client side and RADIUS packets on the server side
@@OsbornePro Bro I got it working :-) I think it was a bug. All it needed was a windows update. I have one more question for you. Let say I have a user that's not part of my domain. but I want him able to join the enterprise Wifi. How I can generate a client cert? I googled the shit out this question and no answer whatsoever xD
@@brolysmash9333 right on that is exciting. There are a couple of possibilities. The first is using a MDM policy. I am currently working on one for an organization that uses the Enterprise CA to assign SCEP certificates using and Intune Connector and Application Proxy. With Azure I seem to be able to offer 3 different cert types but they may only be capable of PEAP. I was going to try and work something out using PEAP and MDM but am having some kind of permissions issue on the CA preventing the certs from being assigned. The other possibility is still PEAP. Someone I was working with recently was doing something for hospital devices. The hospital was using one PEAP certificate with an exportable private key assigned to a single user but put it on multiple devices. (There is no way to auto-assign or re-new Linux device certificates which is what makes this ideal from a management perspective). I stole that idea and limited what devices that user is allowed to sign in on in AD and applied the same concept to printers. This works for the most part however some of the older printers are not able to use the certificate because the PEAP cert is being imported as a machine cert. It works for newer printers but not old ones and I don't know why. That may be something we run into on phones and such as well. I am thinking that may be your best solution (create an exportable private key PEAP certificate and send it to wherever to install). I am going to be doing a PEAP video here soon. I have a securing apache video prepared to come out next and will try to get that one done after
Hello! I really doubt you'll see this but I'll ask anyway. I am trying to use the NPS server as a means to authenticate WiFi users. We use Aruba Central, and I just cant seem to get the certificate to work! I don't want to use thr NPS server for anything other than to allow employees to log into wifi using their AD credentials. Great video. Thank you!
Thanks for watching! I am not familiar with Aruba but the essence of what you need in the setup is 1. A RADIUS server certificate the client devices trust 2. A certificate the clients can present the RADIUS server trusts that can be used to authenticate the client If you have those things, tweaking the config becomes much simpler
@@OsbornePro Thank you so much for your response! I only have an NPS server ( I thought NPS and radius server were the same thing). Aruba told me that I just need to upload my certificate to Aruba Cloud Console. It looks like it just needs a PEM certificate, but I don't even know how to export a certificate from my NPS server to even start 😅😭 We just want to allow AD users to connect to our wifi on their personal mobile device. Right now we are manually typing in our wifi password on their personal device which is not secure.
@@xtnx the Aruba needs to trust your on premise root certificate authority that is assigning certificates. Use Windows to view the Root CA certificate. You can open certlm.msc as an admin and go to Trusted Root Certificate Authorities. Double click on your cert to open it and go to Details then Copy to File. Export in Base64 format not DER. That is the pen file they want. That will be all you need for them. Pushing certificates out to your mobile devices will require an MDM solution The NPS role can be related to a proxy. It will distribute authentication requests to the RADIUS servers
Hello good man, thank you very much for your time and efforts, the explanation was very helpful and informative. Your channel has a bright future ahead ! I followed your instructions and basically did everything you did, unfortunately I'm having 2 different issues in 2 different laptops both are running win11 and are very recent Dell. One of them is saying can't connect because the sign in requirements for your device aren't compatible. The second laptops work just fine but at the first connection it says "Continue connecting? If you expect to find [wireless SSID name] in this location, go ahead and connect. Otherwise, it may be a different network with the same name." I do have something that maybe worth mentioning, my nps is not installed on DC. Do you have any idea about these issues? Thank you so much again, looking forward to watching your intune wi-fi profile...
Thanks for watching! Are you using Server 2019 or higher for your NPS Server? If your NPS server is not a domain controller that is fine, just make sure you have your DCs defined in the server group. You will then want to assign your NPS server the RADIUS server certificate templte created and any time you are asked for a RADIUS server define your NPS Server. You may want to view this article for information on using TLSv1.2 support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af I would play around with your client Wireless profiles. Try being less strict and use different trust settings and hostname, FQDN, IP address in the RADIUS servers field to get it working. You can then harden from there once you see what part is having trouble.
@@OsbornePro Hey ! i appreciate your reply, again thank you for your time ! i'm using a 2016 std for the NPS. Could you please explain what you mean by DCs defined in the server group ? I'm sorry i forgot to tell you that i already have an other SSID ( let's call its SSID1 ) setup and it works just fine the only difference is, it's using PEAP instead of EAP-TLS. I have checked the event viewer on my endpoint and found this event under App & srvs logs wlan-autoConfig events : 8002 + 11006 + 12013 Wireless 802.1x authentication failed. Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz Interface GUID: {c8fcec8b-89f8-42b7-87cb-4b059364c8c4} Local MAC Address: XXXXXXXXXX Network SSID: MYSSID BSS Type: Infrastructure Peer MAC Address: :xxxxxxxxx Identity: host/myhostname User: Domain: Reason: Explicit Eap failure received Error: 0x40420016 EAP Reason: 0x40420016 EAP Root cause String: Network authentication failed Windows doesn't have the required authentication method to connect to this network. EAP Error: 0x40420016 -------------------------------------- Wireless security failed. Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz Interface GUID: {c8fcec8b-89f8-42b7-87cb-4b059364c8c4} Local MAC Address: XXXXXXX Network SSID: MYSSID BSS Type: Infrastructure Peer MAC Address: XXXXXXXX Reason: Explicit Eap failure received Error: 0x40420016 ------------------------------------------ The last event says the specific network is not available One thing i noticed also, few users could connect to the EAP-TLS network but when i checked the nic wirless properties/Security i found that it has the the auth methode of the working network (SSID1) which are PEAP and when ever i switch it to EAP-TLS ( eventhough i'm not supposed to be able to modify this part as it should be greyed out ) the connection drops....by the way i'm using SOPHOS XG FW
@@ane4412 based on the event you posted, that is telling us the clients are attempting to use authentication method an authentication method the server is not accepting. On your NPS server on the Network Policy you will want one created for PEAP and another for EAP-TLS. The EAP-TLS one should have Smart Card or other certificate selected only. Click the Edit button for that selection. Then using the expiration date of the RADIUS server certificate, select the RADIUs server cert to ensure the correct one is being used. Don’t add any other requirements. On the clients you can check the EAP-RRAS logs for EAP-TLS (EAP type 13) (PEAP is EAP type 25). GPOs need to be assigned to the same OU as a device or have the Enforcing tick box checked to prevent someone from making changes to your client profiles The server groups is defined in Network Policy server in the left hand pane as Server groups. Your Domain controllers get set at that location (not the NPS server in your case)
@@OsbornePro Thank you so much ! i will carefully double check all parameters you've pointed out and let you know. I'm a bit confused though about the server groups part, i thought it's was only for failover and load balancing between NPS's but hey why not :-) i must do more research on that, or install the nps on a DC... By the way the log says Auth failed for EAP methode type 13 the error was 0x9009030c. Thank you again.
@@ane4412 sounds good. Those groups do perform load balancing however your NpS server is not a DC so it can only act as a proxy for authentication requests. It can not perform the authentications
under public key policies I don't have anything listed under trusted root certificate authorities and intermediate certificate authorities where do I import these from? Thanks
Thanks for watching! That I am not sure. By default you should have default certificate authorities that exist in both the Trusted Root Certificate Authorities and Intermediate Certificate Authorities stores. If there is nothing there maybe the Windows store is not used for trust and some other technology is handling that? If you want to get your domains Root CA, remote into the Root CA server and open Command Prompt or PowerShell. Then execute the below command mkdir C:\Temp # Creates a directory if it does not exist certutil -ca.cert C:\Temp\RootCA.cer # Exports your domains Root CA certificate to a file that you can import into the trusted stores Once you have the RootCA.cert file you can open certlm.msc and import it into the Trusted Root Certificate Authorities store
Hello bro i have already configured NPS on windows server 2019 and created EAP-TLS policy.But in this case Yealink ip phone and pc cannot work together in this situation pc can get ip from dhcp but ip phone can not get ip what i must configurein NPS policy?:(
Thanks for watching! I believe that Yealink phones are not capable of trusting third party certificates. In order to get them internet you would need to configure a multi-host policy on a Cisco switch. This allows the phones to piggy back on the computers authentication and not have to use RADIUS to authenticate to pass traffic. www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_37_se/configuration/guide/3560scg/sw8021x.html#wp1271507
Thank you so much for this great video. I just have a question, can I use this configuration for mobile devices like Android and iOS? Do I need to change anything? Thank you again.
@@OsbornePro Thanks so much for this video - it was a really useful start-to-finish tutorial and we've managed to get laptops connecting nicely over WPA Enterprise now. I was just curious about your comment above about needing PEAP user certificates on the mobile devices. We have been unable to get the IOS devices connecting over RADIUS. We have successfully deployed the certificates to the mobile devices using the MDM (Airwatch / WorkspaceOne) however the certificates on the mobile devices are user certificates, not device certificates and I'm wondering if this is why it might not be working. The TCPDUMP on the AP shows that connection is being denied but I'm not sure why. Does NPS require machine certificates and if so, how do we loosen the policy to also allow User certificates from mobile devices to authenticate? Otherwise, how do we use PEAP user certificates as you mentioned above on the mobile devices? Thanks so much for any guidance and for the awesome video!
@@jimmyweston613 excellent that is great to hear! With PEAP you will need to create a new network policy on the NPS server. Add a security group to it so the PEAP users have the PEAP network policy applied and than the devices security group assigned to your EAP-TLS policy. You will want to set up PEAP and MSCHaPv2. You do not need to check the legacy checkboxes for MSCHAP or MSCHAPv2 when creating that network policy.
@@OsbornePro Thanks so much for the reply. I will definitely try this over the weekend during a change window. Just to confirm though that in the new NPS Network Policy I am creating for the mobile devices, for the "EAP method" option, I should select "Microsoft: Protected EAP (PEAP) OR Microsoft: Secured password (EAP-MSCHAP v2)" instead of "Microsoft: Smart Card or other certificate", the latter of which I used in the other (working) policy for laptops? Thanks!
@@jimmyweston613 no problem. Correct, to break it down 1.) In Server Manager go to Tools > Network Policy Server 2.) Under "RADIUS Clients and Servers" drop down "Policies", right click on "Network Polices" and click "New" 3.) Call the Policy PEAP Users and leave "Unspecified" selected. Click "Next" 4.) Add a Condition for "User Groups" and add the security group containing your PEAP/MDM users. Click "Next" 5.) Select only "Access Granted" then click Next 6.) For EAP Type select "Microsoft Protected EAP (PEAP)" and uncheck all the less secure protocols. Select "Microsoft Protected EAP (PEAP)" and click the "Edit" button. Ensure your RADIUS server certificate is seleted next to "Certificate issued to:" and "Enable Fast Reconnect" and ensure under EAP Types you have "Secured Password (EAP-MSCHAPv2)". Click OK and then click "Next" 7.) In the left hand pane of "Constraints" select "NAS Port Type" then check the boxes for "Wireless - IEEE 802.11" and "Wireless - Other". Click "Next" 8.) Uncheck the weak encryption methods if you like and click Next. Then Click Finish 9.) I have my PEAP policy last in processing order so it checks for company devices first and then then tries PEAP based on user accounts
Thanks for watching! At that part I am configuring the Group Policy item to deploy out to devices that gives them the Root CA in their trusted store. NOTE: In the video I see I installed the Root CA cert in the Intermediate store. If you don't have an Intermediate Root CA cert then DO NOT INSTALL IT THERE. Its not really a big deal but I was paranoid at the time I made this that my cert would not be trusted and I would have to do the video over lol. Supposedly it can cause an issue. I have never seen one but its better to be safe than sorry. Step 1.) On your Root CA, export your certificate. This can be done by executing the below command on your Root CA server. It exports the public certificate to a file. certutil -ca.cert C:\Temp\yourRootCa.cer Step 2.) Copy yourRootCa.cer to your Domain Controller you are making the GPO on robocopy C:\Temp //domain-controller.domain.com/C$/Temp yourRootCA.cer Step 3.) When you have the policy open like I do in the video at that time frame, right click on "Trusted Root Certificate Authorities", select Import and import that file
are the TLS certs unique to each client/machine and if so what aspect makes them so? i.e. username, hostname, etc. I'm assuming they must be otherwise how could you revoke the cert for an individual machine.
Thanks for watching! Yes you are correct the TLS certificate is unique to each machine. It is based off of the FQDN of the host which is used in the certificate. If you revoke the certificate for one of the machines you will prevent that machine from authenticating itself using that certificate.
Thanks for watching! I have no idea why they do not make it easier to see what certificate you are selecting. I would renew the certificate with the same key and select the certificate based on its expiration date.
will this Radius with EAP-TLS work for cloud joined devices? and certificate are passed through Inture. If not can you please suggest me on how to do that. Thank you.
Thanks for watching! As far as I understand it, Intune using SCEP is able to assign 3 types of certificates that cover user certificates that can do EFS, S/MIME, Email Signing, and Client Authentication. This would restrict devices receiving certificates from Intune to using PEAP and not EAP-TLS. The PEAP certificate would be assigned to the user and they could then use their credentials to authenticate. If you have info different from mine I would be interested to hear it. I have only worked with E3 Office365 licenses which may be more limited than the E5 one.
How can I differentiate which certificate template is used? I have another template for Intune PKCS certificate. In Intune you have to give the template name.
Thanks for watching! On the RADIUS server for my NPS server I use the expiration date to determine which Certificate I am selecting When giving template names I typically try the one without spaces first
I am assisting a customer in setting this up and am a novice with the various touch points. Am I correct in assuming that this config allows the clients to automatically enroll and download the cert and connect to the SSID?
Thanks for watching! Yes you are correct the GPO creates the wireless profile that gets pushed out to the clients. By selecting a root CA certificate in the GPO wireless profile you are telling the clients what cert to autoselect
@@OsbornePro What triggers the clients to auto-enroll? I watched another video and they discussed the gpupdate /force to enroll the client immediately and they also mentioned syncing the GPO to the domain which I didn't see mentioned in your vidoeo
Thank you for your Tutorial! We created AD Groups and issued certificates for users. All working just fine, MAC OS receiving their certificates via intune, the only problem we do have is first user login for Windows domain systems. We have to pass authentication process for them first on trusted network, so they can receive their user certificates. Do you know any workaround how to bypass this step, so users will be able to grab their certificate during their first login?
Right on thanks for watching! My apologies for the delay I have been stuck on a project. To make sure I am understanding correctly, are you referring to devices that attempt to connect to your wireless network for the first time since they do not yet have a certificate to authenticate with?
@@OsbornePro Not really device, but user. For example if user never logged from his PC to domain there is no user certificate and user not able to pass authentication on RADIUS server. We created user based certificates because it is just easy to assign AD groups, we added additional feature when user receiving certain IP from certain IP pool depending from AD group, because our MAC systems not joined to domain and we need to able to filter user traffic on our Firewall for this group of users. At the moment, new user (or if user replacing his PC) should initially pass domain authentication on wired connection and once they receive user certificate they are able to connect to our EAP-TLS. Thanks again for the video, really appreciated that you covered topic with redundancy in details!
Great video - does anyone have suggestions on how to import certificates to Azure joined clients. In my environment will need to leverage Intune for the GPO settings.
Thanks for watching! Importing a Root CA certificate is simple enough to do with Intune. Assigning certificates for RADIUS auth requires the Windows Server Root CA to have what windows calls SCEP configured and if devices are not domain joined you need a Standalone CA. Once that is set up and SCEP open to the internet you can set up the Intune profile to issue certs.
Thank you very much, I have a problem I applied this guide and the "HardenedWin10.ps1" script from your other video and since TLS 1.0 is disabled I can't connect via Wifi. Is it possible to force authentication to TLS1.1? can you help me? Thank you
Yes great question, you can add the following registry key to use TLSv1.1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 Create the value DWORD value 0x300 TLSv1.0 would be 0xc0 TLSv1.2 would be 0xc00
I was thinking this might help your situation as well. In WIndows 7 TLSv1.2 is not turned on by default. I wrote a script to turn on TLSv1.2 usage in Windows 7 era Operating Systems github.com/tobor88/PowerShell/blob/master/EnabledTLS1.2-Windows7.ps1
I’m testing it with wired and wireless. My NPS running on windows server 2022 is joined to the domain and test pc is also joined to the domain. What I want to know how the authentication can be tested? If I unlock pc put credentials ( those credentials will be checked if exists in AD so basically have to login via domain account to get access and vlan pushed form NPS)? Basically, I want to check group membership and push vlan from NPS.(dynamic vlan assignment) Next for eaptls , how that happens? While u login to domain joined pc or try to connect the lan cable ? Pls clarify or show the demo. If anyone has any idea , kindly advise!
Thanks for watching! I think I understand what you are asking. I apologize if I misinterpreted and feel free to let me know. WIRELESS TEST To test EAP-TLS authentication out, the simplest way would be to temporarily have a WPA2-Personal SSID set up you can fall back on in case you need it. Use the same subnet in that SSID as your WPA2-Enterprise one. Set up your Wireless Connection Policy directly on the client instead of using GPO and/or exclude your laptop from the GPO enforcement temporarily. This will allow you to more quickly test and make changes to see what the issue might be. Make your changes and retry connecting to your WPA2-Enterprise SSID. Check the "Network Policy Server" logs on your NPS server to see why a request was rejected and to verify the request gets there. On the client side you can view Event Viewer > Applications and Services > Microsoft > Windows > EapMethods-RasTls or EapHost to see why the RADIUS server is not being reached if issue is caused by config. WIRED TEST If you have a Cisco networking device acting as an Authenticator, you can use Monitor mode on some switches. This will basically audit your requests for testing purposes. You could also configure RADIUS, None which says if the RADIUS server cannot be reached or the device cannot be found, the connection is allowed. You can then check the failed authentications on the interface your device is plugged into using the below command. Turning that interface off and on again should force a reconnect attempt the majority of the time. # View whether a session was created on your interface sh authentication sessions interface gigabitEthernet 1/0/1 # View auth statistics for interface show dot1x int gi1/0/1 You can configure the quiet timer on your Cisco interface to get rechecks to happen more frequently dot1x timeout quiet-period seconds dot1x timeout tx-period seconds More details on these commands can be seen in this forum community.cisco.com/t5/security-blogs/dot1x-ios-commands-overview/ba-p/4614712
I was just answering someone else's question who brought this tool to my attention, NTRadPing support.secureauth.com/hc/en-us/articles/360019651812-How-To-Test-RADIUS-Using-NTRadPing It seems at first look like this is a PEAP authentication test. I figured I would share it with you in case it is helpful
Thanks for watching! For mobile devices I would suggest going with PEAP certificates associated with the user accounts. The PEAP certificates can be pushed out using an MDM (Mobile Device Management) provider. If your company has at least an E3 Office365 license this can be done with Azure's MDM.
@@user-fp3mn3dw7x Yes that requires some manual configuration. Working with *nix operating systems this seems like a great resource to work from. networkradius.com/articles/2021/10/25/EAP-production-certificates.html You would need to manually generate the CSR on your *nix devices as the instructions cover at the above link for using EAP-TLS. If you have a windows CA issuing certs I have a script you can use to renew and set the certs on those devices afterwards. github.com/tobor88/Bash/blob/master/update-ssl-certificate.sh The other option would be to set up a PEAP user certificate that is exportable and install that certificate on all your devices. Then create the network profile that uses that certificate.
I found out I can generate user certificate with CertSrv and it works on android, iOS and macOS but it doesn't work on windows 10. Any idea what's missing?
Thanks for watching! I plan to redo this video at some point. That becomes tough because of the at home setup required but I will do what I can to include that information
Thanks for watching! Yes you can use any CA as long as the client trusts the Root CA that issued the certificate to the RADIUS server and the RADIUS server knows it can trust the Root CA that issued the EAP-TLS certificate
@@OsbornePro Sorry one more question that came up. Can we just use an IIS Server in our domain to generate the CSR? And if so what type of certificate should we download from the 3rd party CA? Thanks so much.
@@HawkJ88 yes you can use IIS to generate a CSR if you want. You will need to download the Root CA certificate from the third party CA and trust it. If they have intermediate certificates you will need to trust those also.
@OsbornePro ok I had set the up previously on a different dc, and my first test user I had to hit connect for them to connect, in the cert authority should each computer have 2 certs listed?
@@ryanmcguire2578 if you have two certificates on a device capable of being used for radius auth from the same certificate authority. In your client wireless profile you define the CA that assigned the certificate to auto select from. If you have two they may prompt you to
@@OsbornePro I have my original cert authority setup on server 2016(going to decommission) which is still active and it has both certificate templates for radius server client and computer(machine) on it but my server 2022, the new CA only has the radius server client cert template listed for this user
@@hichamlyaacoubi1196 thanks for watching! There is a registry value you can at on the NPS server to define what version you want to use if you want to make sure a modern one is used support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af
Thanks for watching. I would not suggest using WPA3 for wireless internet. Really the most vulnerable thing in WPA2-Personal is that someone can disrupt a network with disconnect packets and try to crack the wireless password. WPA3 still has vulnerabilities being discovered that are unable to be remediated due to issues in its foundation. One for example leaks the network password. www.pcmag.com/news/flaws-in-wi-fis-new-wpa3-protocol-can-leak-a-networks-password
Thanks for watching! If you are on a client machine it may be a permission issue for you account on the certificate templates If you are on the certificate authority restart certificate service (certsvc) and verify the service stays running and check if the templates are loaded. If this doesn't help then stop certsvc on CA. Further troubleshooting would be required from there. If possible you can retry installing the CA
Haven't watched the video yet but, would something like exclusively EAP-TLS auth work in combo with Cisco ISE and InTune for mobile devices, e.g. iPhones/iPads? Looking for a way to implement that as it seems like a cleaner way to auth and less likely to cause those pesky lockouts when people forget to change their password on the radius side of things.
I was actually thinking about that recently. I am going to be looking into Azures MDM to see if I can accomplish getting enrolled devices an assigned certificate for usage with EAP-TLS. I know Apple devices are capable of it up to TLSv1.2. I have not implemented it before but will let you know if I get it figured out. The company that I am looking at this for has an E3 license which is a little more limited than the E5 with InTune so it may or may not be possible with that license.
@@OsbornePro we do have intune licensing, my challenge is going to be around spinning up a trial Cisco ISE (staying away from prod for safety reasons), crossing fingers for smooth sails.
@@OsbornePro btw, this still does not address an Evil Twin attack correct? I'd imagine this protects the authentication piece, but everything will not be tunneled.
@@tacom6 That is a good question I should have thought to include when setting up the AD wireless profile. If the users do not have the ability to accept new certificate changes an attacker will be required to have a certificate issued by your environments CA in order to successfully set up an Evil Twin. The wireless profile we set up in Group Policy is where we select the allowed Issuing CA certificates. If the users are allowed to accept certificate changes it is possible for an attacker to create an evil twin with a certificate they create. Defining our trusted CA’s should provide another layer of protection to that setting. The private key on the target users computer will never leave that device so the attacker is not going to obtain the targets private key. The most the attacker could do is offer internet. They would not be able to connect to the domain network in that situation. They may try to compensate by creating a splash page that asks for the users credentials. In summary no it doesn’t prevent Rogue APs but it does make it significantly harder to make anything out of that approach.
Were you guys able to come up with a good solution for this? Researching all over for a solution on this as lockouts are a major headache
These kind of videos are a god send for all of us 'jack of all trades, master of none' IT workers. Superb level of detail and information. Brilliant. Many thanks.
Thanks for watching! Appreciate the compliment very glad it was helpful
Wow! I was looking / searching for tons of how-to, manuals etc...but only this nice tutorial made it easy and quick to get this going! :) Thanks!
Thanks for watching! Always happy to hear this helped someone implement it!
Thank you for actually knowing what you are talking about, creating timestamps and going over HA and load balancing.
Thanks for watching glad it was helpful! I agree it is hard to find good info on certain subjects
I did not have the best foundation to follow this video but the time taken to tear into this has been invaluable. Thank you for the time taken to set this up. Without going into detail this is incredibly helpful for a situation in my professional life. Thank you again for the resource to build understanding on top of.
Right on thanks for watching!
I'm not sure if this will help anyone or not, but standing this up and trying to troubleshoot where the communication was breaking. Wireshark, event viewer on both ends, looking into C:\Windows\System32\LogFiles for successful or failed authentications. I hadn't configured the server to log successful/failed login attempts. Once I had made the correct change on my switch, I wanted to verify the NPS was authenticating correctly. mmc.exe>group policy object editor>local computer>local computer policy>computer configuration>windows settings>security settings>advanced audit policy configuration>System audit policies - Local group policy object>Logon/Logoff>Audit network policy server. Enable this for success and failure if you're still testing everything.
This was really helpful and thorough. The best beginning-to-end explanation I've found.
Thanks glad to hear that :)
Hello Dear Robert!
Thank you for the very useful video!
Following your configuration for the Machine. authentication, I have faced two issues. Radius server doesn't allow to authenticate any devices if we select a network authentication method as "Smart Card or other certificate" following the path (the same as on the video): Edit GPO Policy -> Сomputer Configuration -> Policies -> Windows Settings -> Security Settings -> Wireless Network Policies (IEEE 802.11)-> MyNetworkPolicy -> Select Profile Name and click 'Edit' -> Security Tab -> Select a network authentication method: Smar Card ar Certificate. In this case, all settings are made for machine authentication only.
But when I selected "Protected EAP" for the WiFi enrollment, the configured WiFi network is asking user AD credentials to allow connection even if I have 'machine authentication' only. Could you you please give me any advises how we can remove user credentials request if I select "Computer Authentication"?
Thank you so much!
Regards,
Yury
Thanks for watching! If you select PEAP they will be prompted to enter credentials. Use Smart Card or Ofher certificate and Computer Authentication in your settings. Also select the certificate authority so it knows the certificate to auto-choose.
Thank you for this great tutorial.
Have tried several hours unsuccessfully the implementation and
with your help solved the problem in 20min. 👍
Right on! Thanks for watching!
Thank you so much, I can't believe someone who took the video in much detail, especially it's a rare topic.
No problem thanks for watching!
Rob, thank you so much for sharing this content. Configuring radius auth for Sophos AP's was a breeze thanks to you.
Right on! Love to hear that. Thanks for watching and the support
Excellent content, no messing about straight to the point with plenty of useful information. I am currently configuring RAS/NPS for VPN authentication and this really helps to understand the process.
Thanks glad to hear its helpful for ya! That is exactly what I look for too when I am trying to learn something from a video. Glad its not just me
Really helpful video. I'm a bit new to CAs, do you have a video detailing the installation and best practices for installation/configuration?
Thanks for watching! I do not have a video like that. You want your CA to not have any other services on it. It should just do CA stuff.
The best practice that is rarely followed is to have an offline root CA server non-domain joined. Then have an Intermediate CA attached to that which is domain joined. Require NTLMv2 authentication to it. Use SMBv2 and v3 with required signing.
Biggest threat to your domain with a certificate authority are Certificate Templates. The guys who wrote an exploit tool called Certify have a white paper that is well worth the read to see the do not so certificate template making. You can run the tool to discover vulnerable certificates on your CA if you are ever unsure
Great walkthrough. Helped me walk through an issue with my Secure WiFi. Good stuff.
Right on thanks for watching!
Don't forget to check your firewall rules on the NPS server. I just spent a day banging my head against a wall after my A/V software was silently re-enabling Windows firewall on me. WireShark was showing radius packets come in but I saw no events show up in the NPS logs. Opened up the NPS ports on my firewall and now I can connect to the corporate Wi-Fi.
That sounds frustrating, definitely need the firewall open. That is pretty crazy, the firewall rules gets created automatically when installing the NPS role on the Windows Server. What AV software is doing that too you?
One of the best videos about setting up the Radius! Thanks
Thanks!
WooW! Nice and very complete.
Very, very, very thanks for this.
Thanks for watching! Always glad to hear it was helpful. Have a great New Years!
That is simply the best video i've watched on this topic..
Thank you for detailing as much every configuration options and for talking about HA :)
Thanks for watching!
Question. The step where you create the RADIUS template in the CA template manager. What is the purpose of distributing that machine certificate to all machines in the environment? I don't see any further mention of it in the video and wonder what purpose it serves? I suppose if you point to the cert anywhere in the NPS network policy creation or in the group policy setup and certs in the chain (the machine RADIUS cert) are subsequently accepted as well? Thanks!
Thanks for watching! The RADIUS Client authentication certificate can be assigned to any security group you want. It is best to create a RADIUS Devices security group in AD. It does not necessarily have to go out to everything. The RADIUS Server one will only be distributed to servers with the NPS ability. The root ca certificate needs to be distributed to everything for trust purposes. If a certificate isn’t trusted the connection won’t connect without extra steps that are bad for security. I think I answered the question. Let me know if I can provide any more info
Thanks for your courtesy of turning your head to cough , too prevent germs my way through the screen 😂. Seriously , great video .
Lol of course don't want anyone researching to get sick! Thanks for watching!
Great video! Very detailed and simple to follow. I have successfully set this up and is working with our domain joined devices - thank you!
However, what could I do to implement this onto non domain joined devices such as iPads. In my org we have 3 groups of iPads all requiring different vlans for internet filtering. I would like to use EAP-TLS so no end user authentication is required.
Thanks for watching! What I have found with non-domain joined Apple devices is they require a non-domain joined Root CA with a domain joined Intermediate CA. The non-domain joined Root CA is for issuing certs to Apple devices not on the domain. The domain joined intermediate is for auto-management of the Windows RADIUS client certificates. Of if you have something like Cisco ISE to act as a CA that issues certs to those devices that can work.
If you just have a domain joined Root CA that assigns a device certificate to a non-domain joined Apple device, the authentication fails saying no matching account could be found. I have tried creating dummy accounts etc but nothing worked for me.
@OsborneProLLC Thanks again for a really great and useful video. We have it configured in the way you explained and it works perfectly for Windows machines. Is it possible to also get Macs working under the same RADIUS/NPS? I know that Macs can't receive group policy so part of this will need to be done manually, but do you know the procedure for the Mac to be able to request / receive the certificate and once installed, will the wifi just work if they click on the SSID of the network?
Thanks for watching! Glad to hear it. Yes it is possible to get Macs working under RADIUS/NPS but it is not possible to use EAP-TLS with the configuration I demonstrated. You will require a stand alone/non-domain joined Root CA to issue certificates to your Apple devices. If you use a Standalone Enterprise CA that is domain joined, the certificates can be assigned but when authentication comes around the auth request gets denied saying the user does not exist. I tried creating a user MACDESKTOP01 and MACDESKTOP01$ for example in Active Directory and still received "user does not exist" results. The way to rectify that is with a non-domain joined Root CA. The Subordinate CA can be used to auto-manage the Windows certs still. To reiterate, this is for EAP-TLS authentication.
If you decide to go with PEAP user authentication then yes the setup in this video will work. PEAP requires the Mac users to login at least once and only one PEAP certificate can be issued so the users would need to manage their own certificate and move it between devices. EAP-TLS would allow any managed device to authenticate without the user entering credentials.
Great content my friend. I have a question - according to a lot of Microsoft documentation, the EAP-TLS protocol has a requirement that the issuing CA certificate of your client certificates is stored in the NTAuth certificate store in order for authentication to work with this protocol. My understanding is that NTAuth certificate store is replicated from the Configuration partition of your AD forest, however I'm unsure if populating that object with issuing certificates is a manual process, or if it should be automatic when a CA is built. Do you happen to have any experience in dealing with that?
Thanks for watching! When you set up an Windows Server Enterprise Root CA the information for the CA gets placed into Active Directory. If you have run the configuration of the Root CA role on a Windows Server a couple times you may need to make some adjustments in Active Directory to ensure the correct Certificate Authority is defined. The issuing Root Certificate Authority's certificate is not automatically trusted. The Root CA certificate is trusted by the clients and the NPS server because it was pushed out to the trusted store using Group Policy. The NPS server needs to trust the issuing authority as does the supplicant. If a machine is not domain joined you will need to manually trust the Root CA.
In case you need some commands
# Publish Root CA Cert to NTAuth store
certutil -dspublish -f RootCA.cer NTAuthCA
# View content in NTAuth in AD DS
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=com"
qa.social.technet.microsoft.com/wiki/contents/articles/3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx?PageIndex=1
This video was amazing. Thank you so much!
Thanks for watching! Very happy it was helpful
Hi Rob. Fantastic video! Thank you for taking the time to make it. It really helped me while setting up EAP-TLS. I have a question that im struggling to find the answer for: Is it possible to set up EAP-TLS for User and Computer authentication? I.e. at the login screen, the computer authenticates to the network using its computer certificate, then when a user signs in it reauthenticates against the User certificate? Ideally I'd like user authentication as well for better auditing, especially on shared computers, but using User only authentication is a chicken and egg situation as they can't authenticate on to the network to get their group policy and cert via autoenrollment. I've deployed a User cert as well as Computer cert and set wireless Group Policy to use User or Computer authentication. Computer authentication on the login screen works fine, but as soon as the user profile loads, network connectivity is lost.
Thanks for watching! Appreciate the kind words. There is not a way to do the method you are thinking but you can use PEAP for authentication instead. The certificates assigned to the user create the EAP-TLS tunnel. The user than authenticates using SSO or their credentials. You want to use MSCHAPv2 which is used to encrypt the credentials and send them through the EAP-TLS tunnel.
To do this you will need to deploy a user certificate used for PEAP authentication.
You need your Network Policy using PEAP instead of Microsoft Smart Card or Certificate. You do not need to check any boxes where you see PAP and MSCHAP CHAP and MSCHAPv2. The auth method you use is selected when you select “PEAP” and then click Edit. There is a drop down there for MSCHAPv2.
That is basically the only difference in your config setup.
@OsbornePro TV Thank you, Rob, for the helpful reply! In your professional opinion, which one would you consider the better option? EAP-TLS with computer authentication (Pros: more secure / Cons: can't audit which user was connected to the network on the computer and cant block user access without blocking computer) or PEAP (Pros: can audit network usage by user and block a user access without blocking the entire device / Cons: Less secure?) Also, do you have any experience/tips/advice for auditing user network usage for devices that are solely using computer authentication with EAP-TLS?
@@GrindhouseJames I prefer EAP-TLS with devices if the users are assigned their own desktops and laptops. If someone gets fired or whatever you can disable their account in AD and their devices certificates. I prefer to avoid PEAP when possible because I know how to exploit it to steal credentials. It’s more a personal comfort thing. Someone smarter than me may figure out ways around the methods used to lock it down. PEAP is still considered a secure means of doing things and would pass a security audit. Your pros and cons are accurate. If it makes more sense for your situation I would use it. There are clients I have worked with where PEAP made more sense.
Another thing to keep in mind is a PEAP certificate has only one issued per user. If a user has a desktop and a laptop the user needs to know how to set up the cert on their other devices.
The RaDIUs accounting logs are supposed to be a good way of auditing network usage if you have multiple clients using internet. Utilizing a SQL server for that if you expect heavy logging is the way to go there
This is an outstanding video with very through explanation on how and why to setup certificate based authentication using Network Policy Server and Group Policy via Windows Server 2019 for wireless connections. Might you be able to cover doing the same for wired connectivity as well? Thanks.
Thanks R H, glad you found it helpful! :) I appreciate the feedback. I was hesitant to include that in this video initially because I felt like I was assuming a lot without a WLC. That has not seemed to take away from the content of the video.
I can do a part 2 kind of video for this where I add wired to the configuration and create the IEEE 802.3 group policy. I will also include how to configure 802.1X on a Cisco switch so we can add it as a RADIUS client on the NPS server. I did not create a Security group in AD for the RADIUS clients so I will demo that in the new video as well. Will that be what you are looking to see?
Here ya go brother ruclips.net/video/CzmFhCuUj6w/видео.html Thanks for the request!
Great and very helpful video Rob, thank you for your work! Can I join (using EAP-TLS) with a non-domain computer to a corporate WIFI?
Thanks for watching! Yes you can however you need a Root CA that is not domain joined to issue those certificates. Or what I have not tested is using SCEP to assign certificates to non-domain joined devices
Do you not have to reference the RAS IAS cert in the network policy? I noticed you added smart card or other certificate as the EAP type but never edited it to choose the cert.
Thanks for watching! A valid certificate is typically selected automatically however, its not perfect. Yes you should select the certificate to use on the RADIUS server in the network policy. I forgot to cover this in the video. I updated the description of the video to make mention of this in case someone reaches out to me having that issue. I can also get a quick copy paste responding to emails.
Very informative, detailed video. Great job!
Thanks appreciate it!
It is a very informative video on the MS NPS EAP-TLS setup but some how I still can't get it to work. I am working on setting up EAP-TLS authentication for Wireless Access Point. I followed a different guide I can get endpoint to use Current User Certificate to successfully authenticate to NPS. I followed your directions but when I setup GPO to try get it use computer certificate it fails to connect. Any chance you might know what have I missed?
Thanks for watching! What is the error message you are seeing on your NPS server in the Event Viewers custom log for Network Policy Service? At the bottom of a denied event it will have a message that will tell you if there is no matching Network Policy or Connection policy. It will also let you know if a user was not found. Because the user certificates work I think it is safe to assume your RADIUS server certificate is good and clients authentication requests are reaching the NPS server. I would think what needs to be looked at is why they are being denied. If you find they are not getting there let me know. Feel free to send screenshots of your config to info@osbornepro.com and I can take a look to see if I see anything. Also screenshots of your GPO profile would be helpful.
Very nice explanation, thanks a lot!
Thanks for watching! Glad it was helpful
Wow awesome tutorial! Just want to ask what is the best practice to migrate from mschap to eap-tls? Is it also possible to run both protocols on a single ssid? I want gradual change from mschap to eap-tls. Hope you could tell me some steps please. Thanks so much!
Thanks for watching! Unfortunately no you are not able to use WPA2-Personal and WPA2-Enterprise on the same SSID. However both connection policies can exist on a device at the same time. You can enforce which SSID connection is used via GPO. A new SSID will need to be created for the migration.
To migrate from PEAP using MSCHAP to EAP-TLS I would do the following.
1.) Create a security group to test your laptop out in. Name this group whatever you want the Production name to be. Test one laptop at first but add everything to it when ready.
2.) Verify your device has an EAP-TLS certificate assigned to it like you would have created with this video.
3.) Create a new SSID to use WPA2-Enterpise authentication with
4.) Modify your laptops GPO policy so it gets the new SSID wireless profile. The old one can still exist and can be left as the default until you are ready to test your new policy.
When the new wireless GPO policy applies you will likely need to reboot the device. Some but not all of the settings in the SSID policy require a reboot and we don't want to leave anything to change in case you require a change that needs this. "gpupdate /force /boot" will NOT see a reboot is required for the settings to be updated. If you are enforcing that policy to be used you will not be able to reconnect to the WiFi until the next step is performed on the NPS server.
5.) Duplicate your Connection Request Policy and Network Connection Policy on your NPS server and modify it so the Security Group your laptop is now a member of has the policy applied to it. Also use the EAP-TLS connection settings.
6.) Move the newly created policy to the top of the processing order in your NPS server. Double check that no other laptops will accidentally receive your new policy before you
7.) Enable the duplicated modified policies.
8.) Update your GPO settings for your laptop to use the new wireless profile and verify it connects okay.
If successful you can move say another 10 devices into the same policy. Check last reboot times on the 10 devices to ensure they get the new GPUpdates applied. Then move them into the security group in AD which gives them the new wireless SSID profile that they get forced to connect too. If those 10 devices work without issue I would go large scale and wait say 1-2 weeks to ensure all devices have been rebooted to get their new gpupdates before moving them into the security group
Hello,
I have a problem with EAP-TLS. Client (Windows 10) does not send when trying to connect via eap-tls with machine authentication. However, it works when eap-tls is tried with user authentication. When I check, both the user certificate and the machine certificate are present in the client. My question is why client does not send any log when it was trying connection.
Thanks for watching! In the client network connection profile (windows 10) you can select whether to use a computer certificate or user certificate. Verify the computer option is selected. The other thing to look at is the NPS server Network Connection Profile to make sure the correct group is assigned and verify Smart Card or other certificate is being used. If you want to take screen shots of your config and send them to info@osbornepro.com I can take a look.
Thanks for reply! I selected to computer authentication and i dont use NPS server.(İ use freeradius) İt is weird when i try user authentication eap-tls or eap-peap it works but when i try computer it is not working. @@OsbornePro
I have a question:
I have a lab setup in our office where in the infrastructure is wireless but with only an Active Directory Server, no CA and RADIUS Server. The current scenario of the lab is that users/employees login to their company laptops(already joined in the domain) using their domain user account and can connect to the office network/WiFi because I shared them the password. Employees' personal computers(not joined in the domain) can access office network, as long as they know the Wifi password, and can write stuffs in File Server because they can use their domain user account.
I understand in the video that when I apply all of it (CA, RADIUS with EAP-TLS) to my current lab setup, company laptops will not be disconnected to the office network because GPO for machine authentication will be enforced to them and that will be the reason they can connect to the wifi. Personal computers cannot connect anymore because Wifi requirements is not a password anymore, but a machine certificate. Is my understanding correct? - this is the first question haha
2nd question. Now, what if I have a brand new company laptop that I want to join to the domain, i cant join it now because it cant cannot to the wifi. If the case is this, then Ill need to connect to the office network via ethernet port now? so that I can join the new company laptop to the domain?
I hope you find this comment, Thank you very much for uploading this gold video!!
Thanks for watching! For your first question, your understanding is correct.
If you modify your SSID to require RADIUS authentication, only devices with the EAP-TLS certificate you setup can connect to it. Personal devices will no longer be able to connect.
If you create a second SSID, leaving your original WPA2-Personal setup and creating the new one to use WPA2-Enterprise (RADIUS), then no-one will be disconnected from the SSID currently being used in Production.
WPA2-Enterprise will prevent users from connecting with their personal devices.
Second Question:
Correct you would need to set up the laptop by plugging it in via Ethernet in the office which can be beneficial if you have a PXE scope. You could also assign your admins a PEAP certificate to use that allows them to get things set up over WiFi initially. Otherwise you wont be able to connect to the WPA2-Enterprise SSID with new laptops. Microsoft Intune could also be used to assign certificates if you have a proxy set up for SCEP certificates and Wireless profiles configured. This would allow you to connect to Guest WiFi while still receiving configuration and a certificate via the WAN instead of the LAN.
thank you for this video. helped me alot to configure eap-tls.
do you have experience how to implement it with cloud windows 11 devices? how can the clients check the ca-certificate, when they are cloud only?
thanks
Thanks for watching! I am not sure I understand your question. Do you have virtual Windows 11 devices in the cloud?
It will propably be with the help of Microsoft Intune Certificate Connector@@OsbornePro
At 23:02 when setting up the network policy and after you chose smart card or other certificate what certificate is your radius server using? I ask because when I set my radius server up I loaded up the MMC and went to the computer certificate store on the new radius server. Under personal I made a request for a certificate and just pulled down the same Radius Client Server certificate I will be using on my client/supplicants. Is this ok to do? On my radius server if you go to the network policy at 23:02 in your video under EAP Types I am using Smart Card or Other Ceriticiate but if you click the edit button you can see its using that certificate under the computer - personal store which is the same certificate my clients will be using for Radius authentication via the wireless? Is there an issue with that or whats the best practice?
Thanks for watching! The certificate I select I have had to choose by its expiration date. I use the RADIUS Server certificate template for that. In this video I made a cert that could be used by both the server and client. In this case I would have selected that one. It is okay to do. For least priv purposes it’s best to have a separate template for server and client
@@OsbornePro Appreciate the feedback. I was not 100 percent sure. I thought it might be best to just setup a cert template for just the radius server that way its not using same cert the clients are using as I currently have the validity period set to 3 months and the renewal period set to 2 months. It may cause issues once I deploy to production if my radius server cert is using the same as the clients.
Thanks you so much your time to make this video.
Thanks for watching!
Sportin the PRTG certified shirt.
Thanks for watching! I am a PRTG fan
Hi. I know this video is old. But thanks for all your effort.
But I also have a question? If you do a failover radius or npas server? Wouldn’t the clients always have to re trust the WiFi certificate if they authenticate on a different server? I have 2 radius servers going. My second one is just for backup. But every time I authenticate thru the second radius server I have to Tetris the WiFi certificate. Does that sound right? Thanks
Lol I didn’t realize the video was old until you stated that. It is old now isn’t it. I don’t think I understand what is happening, You probably have an NPS server with a couple RADIUS servers behind it and one of those RADIUS servers also acts as the backup NPS server. Or something close to that. The RADIUS server certificate should be from the same CA so the trust of the Root CA should be good. Once the client authenticates to one of the servers the connection is up. If they reestablish a connection with the backup NPS server it shouldn’t cause any downtime or create new certs. Are both NpS servers defined in the group policy wireless profile? The subject CN of the certificate is case sensitive and needs to match the FQDN of the RADIUS server. That server will need to be defined in the clients RADIUS profile which I would treat as case sensitive just in case. Maybe the second NPS server needs its RaDIUS server certificate assigned and an auto selected one is not the one you are expecting
I exported the certificate from the CA and imported in to my second radius backup server. I watched both your full videos. You setup yours different then I did. I wish I could show you. If I could some how send you screenshots or pictures. I have my setup almost 5 years with multi vlan authentication. My only issue I have if I use my backup server. Clients have to re trust certificate on second backup server
@@jacobstahl7467 On your NPS server the RaDIUS server certificate I am thinking of you may need to set is in the network policy. In the section where you select Microsoft Smart Card or Other Certificate. Select that option and click Edit. Then verify using the expiration date of there is more than one certificate option that your RADIUS server certificate is being used and not a self signed one. Or have you been able to verify the certificate is good already?
@@OsbornePro yeah the certificate is still good. I have it to expire in 20 years. Even though I know I’ll do hardware updates before that. I just set it expiration to 20 years.
Your setup is different then my. I noticed you authenticated with just the certificate But I have about 18 vlans on my network and I’m authenticating users via username and password. And whichever group the the users are in. The are connected to that specific vlan.
And I select my certificate for WiFi under Network Policy Server> Network Policies> (the custom policy I created for vlans)> Constraints> Authentication Methods> then on right window I select Microsoft: Protected Eap(Peap) then I click edit. This is the place I select my certificate.
And noticed your doing it in group police manager, where I’m doing it under NPAS> network policy server.
I hope I make sense
Good day, excellent content that I have used in the past. Nevertheless, I have a question regarding your configuration at 13:28 regarding priority and weight. A priority of 1 & 2 would forward all requests to server with priority of 1. When server with priority of 1 is unavailable then it would be sent to Server with priority of 2. Since there is a weight of 50% associated with either server, would all requests be sent when server with priority of 1? Also, if server is unavailable would it be able to forward requests?
Thanks for watching! So yes all requests would be sent to priority 1 server unless that server is overloaded.
The NPS proxy you set up sends connection requests to the RADIUS server with a priority of 1 first. If servers with priority 1 are not available, NPS sends requests to servers with priority 2, and so on.
I don't remember what I said in the video but I think later I learned after this video that when you assign the same priority to multiple RADIUS servers, and use the "weight" value, you load balance between them.
When you assign different priorities it acts as a fail over. So if priority 1 server is not available (gets a connection timeout from drops or timeout settings) it goes to priority 2 server
Appreciate the timely feedback and honest response...@@OsbornePro
Great video. Can you cover the process for creating and deploying auth certificates?
Thanks for watching! In the video after we created the computer certificate templates and set up group policy, the certificates then started being deployed automatically via group policy.
@@OsbornePro Wow! Replied in less than an hour! Thank you! In my case, I don't think I can do the auto deployment because my wireless client PCs are not on the same domain as the RADIUS server domain controller. Is there a way to manually generate and deploy the client and server certificates?
@@gilgamesh822 if you have another domain you can trust the root CA certificate that assigned the RADIUS server certificate. Then the second domains clients will be able to trust that NPS server certificate. The NPS server can be set to trust the second domains CA. Then your authentication will still happen to the one server. That lets that domain manage its own certs.
Otherwise as a manual process you could script the manual assignment of the certificates or open certlm.msc with admin permissions and request a new certificate for each device individually. Then create the wireless or wired profile manually on each device in Control Panels Network Manager for an interface.
Does anyone know if there is a way to use a Windows Network Policy (RADIUS) server to authenticate users on a different trusted domain? We are using Meraki APs and it works fine on the first domain, but when I copy the GPO to the second domain, clients are not able to connect to the Wireless network.
If not, I could add an NPM server on the second domain and give them their own SSID, but that solution won't work if I push this down to switch ports.
Thanks for watching! I would be curious what you do for this. If you are using PEAP I would think trusting the Root CA and a domain trust would be required between the two domains so the user accounts can be found. For EAP-TLS you probably need a non-domain joined CA to issue certs to both domains in order to accomplish that
Excellent video! I echo all other commenters that I appreciate your thoroughness and getting right to the point. I am having an issue I wonder if you can point me in the right direction. I am getting the certs deployed fine and the endpoint connects just fine. Seems to me the most important piece of being able to use EAP-TLS is the process of certificate revocation to disallow an endpoint from joining. When I revoke a certificate, the endpoint is still able to join. I run powershell from the NPS and it sees that the cert is revoked. What am I doing wrong? Thank you again!
Thanks for watching appreciate the support! That is interesting, sounds like the CRL is not being checked based on your actions so far. Can you check the registry setting on the NPS server and verify none of the below registry values are set to 1. If a -Name value does not exist you will likely return an error message which is expected and can be safely ignored. It might be useful to set all these reg values to 0 and restart the server so you manually are telling the server perform the checks.
Registry Path EAP Extension
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 EAP-TLS
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25 PEAP
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\26 EAP-MSCHAP v2
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name IgnoreRevocationOffline
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name NoRevocationCheck
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name NoRootRevocationCheck
REFERENCE: learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771995(v=ws.10)?redirectedfrom=MSDN
@@OsbornePro Thank you! The response in the first query was for an incorrect string, so I don't think that one exists. Double-checked spellings and used tab completion and up arrow for the last two commands. Last two queries were 0 for the value. UPDATE: I stand corrected. I just now understood your ask. I have used all three queries now in all three paths (9 total). The last two queries resulted in a '1' value in the '25' path. But since that is not in the EAP-TLS path, will it make a difference? I set those values to 0. Waiting to hear from my sysadmin if I can reboot the server.
@@scottfuller2449 I apologize I am not always good at communicating what I am thinking. Change those values from 1 to 0. You may need to restart for those values to apply. The 0 says to use CRL checks with PEAP authentication. If that still does not work my next check would be to verify what certificate the client is presenting. I would change the client profile in the Control Panel network device settings so it allows me to select what certificate I want to use to verify there is not another cert being presented that works
@@OsbornePro You have no reason to apologize! You communicated it very well. I am waiting to do the testing after setting those values to 0. But since that wasn't in the EAP-TLS path, I don't understand how it will help. But that doesn't mean much either. Certificate knowledge is like fairy dust to me. I don't understand them very well or the complex process. I will report back. Thank you so VERY much for your responses and help thus far!
@@scottfuller2449 thanks no problem. I am doing that just to cover all basis. If you are using EAP-TLS it should not affect it. I want to make sure that is not it
Great tutorial! Instead of doing the GPO part, I want to deploy via Intune. I found the Wi-Fi config profile to deploy, settings look similar. Is there anything different I should do to get this to work?
Thanks for watching! The only thing I think is worth mentioning would be; Where are your certificates being auto-deployed from?
If remote devices have their certs being deployed from your Root CA server to the client machines automatically and you know the remote devices will be forced to connect to the VPN fairly often you wont need to do anything else. If the remote devices are not usually connected to the VPN or domain joined you will need to set up basically a proxy to your Root CA that issues SCPE certificates.
learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
Your other GPO settings being deployed from Intune do not matter where they come from
Do you know why the client is getting a "Computer" template cert as well as the one created? Also why it says "Server Authentication" as well as client authentication?
Thanks for watching! If a user is getting a Computer template certificate assigned to them it is because they have permissions to that template and the auto-assignment in group policy thinks that means they should get one. I can’t picture another reason for that but it is possible there is something I’m not thinking of.
In the video I just used one certificate for the radius server and radius supplicants. If you want to create a Radius Server certificate you can duplicate the “RAS and IAS” template and change the security permissions to your radius servers security group.
For radius supplicants you can duplicate the Workstation certificate which I think I used in the video. With an EAP-TLS connection the client validates the server and the server validates the client as opposed to the client only validating the server. I believe the server validating the client is the reason for Server Authentication.
I think if you plan to cut the key size down, maybe try Curve crypto instead
Thanks I will check that out!
Pal, loved your content but I have a question. I have windows server 2012 and I don't have the encryption AES-CCMP under wireless network Group policy. I only have AES. my computer can't connect using my certificate. Would that create an issue?
Thank you!
Hey thanks for watching! AES-CCMP came out with WPA2. My assumption is that AES means the same thing. It may show as AES-CCMP in newer OS versions because AES-GCMP was released later.
I forget if I covered it in this video or not. if you check the box in your group policy client profile to verify your servers identity and define the server to connect too, the value you define is case sensitive and needs to match the subject name value of your servers RADIUS server certificate. Uncheck that box in the client profile to see if that is the value preventing your connection.
Check the NPS logs on your RADIUS server to see if your radius server is receiving and rejecting the request as it will give you an idea why it was rejected. If it is not rejecting the request check your supplicants event logs under EapRas-Tls for EAP-TLS and CAPI2 for SSL errors.
If you run packet captures you want to analyze EAPOL packets on the client side and RADIUS packets on the server side
@@OsbornePro Bro I got it working :-) I think it was a bug. All it needed was a windows update.
I have one more question for you. Let say I have a user that's not part of my domain. but I want him able to join the enterprise Wifi. How I can generate a client cert? I googled the shit out this question and no answer whatsoever xD
@@brolysmash9333 right on that is exciting. There are a couple of possibilities. The first is using a MDM policy. I am currently working on one for an organization that uses the Enterprise CA to assign SCEP certificates using and Intune Connector and Application Proxy. With Azure I seem to be able to offer 3 different cert types but they may only be capable of PEAP. I was going to try and work something out using PEAP and MDM but am having some kind of permissions issue on the CA preventing the certs from being assigned.
The other possibility is still PEAP. Someone I was working with recently was doing something for hospital devices. The hospital was using one PEAP certificate with an exportable private key assigned to a single user but put it on multiple devices. (There is no way to auto-assign or re-new Linux device certificates which is what makes this ideal from a management perspective). I stole that idea and limited what devices that user is allowed to sign in on in AD and applied the same concept to printers. This works for the most part however some of the older printers are not able to use the certificate because the PEAP cert is being imported as a machine cert. It works for newer printers but not old ones and I don't know why. That may be something we run into on phones and such as well.
I am thinking that may be your best solution (create an exportable private key PEAP certificate and send it to wherever to install). I am going to be doing a PEAP video here soon. I have a securing apache video prepared to come out next and will try to get that one done after
@@OsbornePro you’re awesome dude.. 👍🏼👍🏼😎😎
Hello! I really doubt you'll see this but I'll ask anyway. I am trying to use the NPS server as a means to authenticate WiFi users. We use Aruba Central, and I just cant seem to get the certificate to work! I don't want to use thr NPS server for anything other than to allow employees to log into wifi using their AD credentials.
Great video. Thank you!
Thanks for watching! I am not familiar with Aruba but the essence of what you need in the setup is
1. A RADIUS server certificate the client devices trust
2. A certificate the clients can present the RADIUS server trusts that can be used to authenticate the client
If you have those things, tweaking the config becomes much simpler
@@OsbornePro Thank you so much for your response! I only have an NPS server ( I thought NPS and radius server were the same thing). Aruba told me that I just need to upload my certificate to Aruba Cloud Console. It looks like it just needs a PEM certificate, but I don't even know how to export a certificate from my NPS server to even start 😅😭
We just want to allow AD users to connect to our wifi on their personal mobile device. Right now we are manually typing in our wifi password on their personal device which is not secure.
@@xtnx the Aruba needs to trust your on premise root certificate authority that is assigning certificates. Use Windows to view the Root CA certificate. You can open certlm.msc as an admin and go to Trusted Root Certificate Authorities. Double click on your cert to open it and go to Details then Copy to File. Export in Base64 format not DER. That is the pen file they want. That will be all you need for them. Pushing certificates out to your mobile devices will require an MDM solution
The NPS role can be related to a proxy. It will distribute authentication requests to the RADIUS servers
Hello good man, thank you very much for your time and efforts, the explanation was very helpful and informative. Your channel has a bright future ahead !
I followed your instructions and basically did everything you did, unfortunately I'm having 2 different issues in 2 different laptops both are running win11 and are very recent Dell. One of them is saying can't connect because the sign in requirements for your device aren't compatible.
The second laptops work just fine but at the first connection it says "Continue connecting? If you expect to find [wireless SSID name] in this location, go ahead and connect. Otherwise, it may be a different network with the same name."
I do have something that maybe worth mentioning, my nps is not installed on DC.
Do you have any idea about these issues?
Thank you so much again, looking forward to watching your intune wi-fi profile...
Thanks for watching! Are you using Server 2019 or higher for your NPS Server? If your NPS server is not a domain controller that is fine, just make sure you have your DCs defined in the server group. You will then want to assign your NPS server the RADIUS server certificate templte created and any time you are asked for a RADIUS server define your NPS Server.
You may want to view this article for information on using TLSv1.2 support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af
I would play around with your client Wireless profiles. Try being less strict and use different trust settings and hostname, FQDN, IP address in the RADIUS servers field to get it working. You can then harden from there once you see what part is having trouble.
@@OsbornePro Hey ! i appreciate your reply, again thank you for your time ! i'm using a 2016 std for the NPS. Could you please explain what you mean by DCs defined in the server group ? I'm sorry i forgot to tell you that i already have an other SSID ( let's call its SSID1 ) setup and it works just fine the only difference is, it's using PEAP instead of EAP-TLS. I have checked the event viewer on my endpoint and found this event under App & srvs logs wlan-autoConfig events : 8002 + 11006 + 12013
Wireless 802.1x authentication failed.
Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz
Interface GUID: {c8fcec8b-89f8-42b7-87cb-4b059364c8c4}
Local MAC Address: XXXXXXXXXX
Network SSID: MYSSID
BSS Type: Infrastructure
Peer MAC Address: :xxxxxxxxx
Identity: host/myhostname
User:
Domain:
Reason: Explicit Eap failure received
Error: 0x40420016
EAP Reason: 0x40420016
EAP Root cause String: Network authentication failed
Windows doesn't have the required authentication method to connect to this network.
EAP Error: 0x40420016
--------------------------------------
Wireless security failed.
Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz
Interface GUID: {c8fcec8b-89f8-42b7-87cb-4b059364c8c4}
Local MAC Address: XXXXXXX
Network SSID: MYSSID
BSS Type: Infrastructure
Peer MAC Address: XXXXXXXX
Reason: Explicit Eap failure received
Error: 0x40420016
------------------------------------------
The last event says the specific network is not available
One thing i noticed also, few users could connect to the EAP-TLS network but when i checked the nic wirless properties/Security i found that it has the the auth methode of the working network (SSID1) which are PEAP and when ever i switch it to EAP-TLS ( eventhough i'm not supposed to be able to modify this part as it should be greyed out ) the connection drops....by the way i'm using SOPHOS XG FW
@@ane4412 based on the event you posted, that is telling us the clients are attempting to use authentication method an authentication method the server is not accepting. On your NPS server on the Network Policy you will want one created for PEAP and another for EAP-TLS. The EAP-TLS one should have Smart Card or other certificate selected only. Click the Edit button for that selection. Then using the expiration date of the RADIUS server certificate, select the RADIUs server cert to ensure the correct one is being used. Don’t add any other requirements. On the clients you can check the EAP-RRAS logs for EAP-TLS (EAP type 13) (PEAP is EAP type 25).
GPOs need to be assigned to the same OU as a device or have the Enforcing tick box checked to prevent someone from making changes to your client profiles
The server groups is defined in Network Policy server in the left hand pane as Server groups. Your Domain controllers get set at that location (not the NPS server in your case)
@@OsbornePro Thank you so much ! i will carefully double check all parameters you've pointed out and let you know. I'm a bit confused though about the server groups part, i thought it's was only for failover and load balancing between NPS's but hey why not :-) i must do more research on that, or install the nps on a DC... By the way the log says Auth failed for EAP methode type 13 the error was 0x9009030c. Thank you again.
@@ane4412 sounds good. Those groups do perform load balancing however your NpS server is not a DC so it can only act as a proxy for authentication requests. It can not perform the authentications
under public key policies I don't have anything listed under trusted root certificate authorities and intermediate certificate authorities where do I import these from? Thanks
Thanks for watching! That I am not sure. By default you should have default certificate authorities that exist in both the Trusted Root Certificate Authorities and Intermediate Certificate Authorities stores. If there is nothing there maybe the Windows store is not used for trust and some other technology is handling that?
If you want to get your domains Root CA, remote into the Root CA server and open Command Prompt or PowerShell. Then execute the below command
mkdir C:\Temp # Creates a directory if it does not exist
certutil -ca.cert C:\Temp\RootCA.cer # Exports your domains Root CA certificate to a file that you can import into the trusted stores
Once you have the RootCA.cert file you can open certlm.msc and import it into the Trusted Root Certificate Authorities store
Hello bro i have already configured NPS on windows server 2019 and created EAP-TLS policy.But in this case Yealink ip phone and pc cannot work together in this situation pc can get ip from dhcp but ip phone can not get ip what i must configurein NPS policy?:(
Thanks for watching! I believe that Yealink phones are not capable of trusting third party certificates. In order to get them internet you would need to configure a multi-host policy on a Cisco switch. This allows the phones to piggy back on the computers authentication and not have to use RADIUS to authenticate to pass traffic.
www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_37_se/configuration/guide/3560scg/sw8021x.html#wp1271507
Thank you so much for this great video. I just have a question, can I use this configuration for mobile devices like Android and iOS? Do I need to change anything? Thank you again.
Thanks for watching. You would have to use a PEAP user certificate on your mobile devices in order for them to authenticate with RADIUS.
@@OsbornePro Thanks so much for this video - it was a really useful start-to-finish tutorial and we've managed to get laptops connecting nicely over WPA Enterprise now. I was just curious about your comment above about needing PEAP user certificates on the mobile devices. We have been unable to get the IOS devices connecting over RADIUS. We have successfully deployed the certificates to the mobile devices using the MDM (Airwatch / WorkspaceOne) however the certificates on the mobile devices are user certificates, not device certificates and I'm wondering if this is why it might not be working. The TCPDUMP on the AP shows that connection is being denied but I'm not sure why. Does NPS require machine certificates and if so, how do we loosen the policy to also allow User certificates from mobile devices to authenticate?
Otherwise, how do we use PEAP user certificates as you mentioned above on the mobile devices?
Thanks so much for any guidance and for the awesome video!
@@jimmyweston613 excellent that is great to hear! With PEAP you will need to create a new network policy on the NPS server. Add a security group to it so the PEAP users have the PEAP network policy applied and than the devices security group assigned to your EAP-TLS policy. You will want to set up PEAP and MSCHaPv2. You do not need to check the legacy checkboxes for MSCHAP or MSCHAPv2 when creating that network policy.
@@OsbornePro Thanks so much for the reply. I will definitely try this over the weekend during a change window. Just to confirm though that in the new NPS Network Policy I am creating for the mobile devices, for the "EAP method" option, I should select "Microsoft: Protected EAP (PEAP) OR Microsoft: Secured password (EAP-MSCHAP v2)" instead of "Microsoft: Smart Card or other certificate", the latter of which I used in the other (working) policy for laptops? Thanks!
@@jimmyweston613 no problem. Correct, to break it down
1.) In Server Manager go to Tools > Network Policy Server
2.) Under "RADIUS Clients and Servers" drop down "Policies", right click on "Network Polices" and click "New"
3.) Call the Policy PEAP Users and leave "Unspecified" selected. Click "Next"
4.) Add a Condition for "User Groups" and add the security group containing your PEAP/MDM users. Click "Next"
5.) Select only "Access Granted" then click Next
6.) For EAP Type select "Microsoft Protected EAP (PEAP)" and uncheck all the less secure protocols. Select "Microsoft Protected EAP (PEAP)" and click the "Edit" button. Ensure your RADIUS server certificate is seleted next to "Certificate issued to:" and "Enable Fast Reconnect" and ensure under EAP Types you have "Secured Password (EAP-MSCHAPv2)". Click OK and then click "Next"
7.) In the left hand pane of "Constraints" select "NAS Port Type" then check the boxes for "Wireless - IEEE 802.11" and "Wireless - Other". Click "Next"
8.) Uncheck the weak encryption methods if you like and click Next. Then Click Finish
9.) I have my PEAP policy last in processing order so it checks for company devices first and then then tries PEAP based on user accounts
Hello at the 30:00 minute mark how do we apply the cert to that location? I am having a bit of trouble finding and exporting mine to the GPO
Thanks for watching! At that part I am configuring the Group Policy item to deploy out to devices that gives them the Root CA in their trusted store.
NOTE: In the video I see I installed the Root CA cert in the Intermediate store. If you don't have an Intermediate Root CA cert then DO NOT INSTALL IT THERE. Its not really a big deal but I was paranoid at the time I made this that my cert would not be trusted and I would have to do the video over lol. Supposedly it can cause an issue. I have never seen one but its better to be safe than sorry.
Step 1.) On your Root CA, export your certificate. This can be done by executing the below command on your Root CA server. It exports the public certificate to a file.
certutil -ca.cert C:\Temp\yourRootCa.cer
Step 2.) Copy yourRootCa.cer to your Domain Controller you are making the GPO on
robocopy C:\Temp //domain-controller.domain.com/C$/Temp yourRootCA.cer
Step 3.) When you have the policy open like I do in the video at that time frame, right click on "Trusted Root Certificate Authorities", select Import and import that file
are the TLS certs unique to each client/machine and if so what aspect makes them so? i.e. username, hostname, etc. I'm assuming they must be otherwise how could you revoke the cert for an individual machine.
Thanks for watching! Yes you are correct the TLS certificate is unique to each machine. It is based off of the FQDN of the host which is used in the certificate. If you revoke the certificate for one of the machines you will prevent that machine from authenticating itself using that certificate.
Great video. Thank you.
Thanks for watching! Glad it was helpful
i have same server as certificate and configure certificate Template. after template i could not find the template in new list. what should i do
Thanks for watching! I have no idea why they do not make it easier to see what certificate you are selecting. I would renew the certificate with the same key and select the certificate based on its expiration date.
will this Radius with EAP-TLS work for cloud joined devices? and certificate are passed through Inture. If not can you please suggest me on how to do that. Thank you.
Thanks for watching! As far as I understand it, Intune using SCEP is able to assign 3 types of certificates that cover user certificates that can do EFS, S/MIME, Email Signing, and Client Authentication. This would restrict devices receiving certificates from Intune to using PEAP and not EAP-TLS. The PEAP certificate would be assigned to the user and they could then use their credentials to authenticate. If you have info different from mine I would be interested to hear it. I have only worked with E3 Office365 licenses which may be more limited than the E5 one.
If i use network policy authorization by domain User it doesnt work but when i use domain computer it somehow does
How can I differentiate which certificate template is used? I have another template for Intune PKCS certificate. In Intune you have to give the template name.
Thanks for watching! On the RADIUS server for my NPS server I use the expiration date to determine which Certificate I am selecting
When giving template names I typically try the one without spaces first
I am assisting a customer in setting this up and am a novice with the various touch points. Am I correct in assuming that this config allows the clients to automatically enroll and download the cert and connect to the SSID?
Thanks for watching! Yes you are correct the GPO creates the wireless profile that gets pushed out to the clients. By selecting a root CA certificate in the GPO wireless profile you are telling the clients what cert to autoselect
@@OsbornePro What triggers the clients to auto-enroll? I watched another video and they discussed the gpupdate /force to enroll the client immediately and they also mentioned syncing the GPO to the domain which I didn't see mentioned in your vidoeo
@@SteveSmith-rj6oq it still the GPO. There is a PKI GPO setting that says to auto enroll clients in certificates when the templates exist
Thank you for your Tutorial! We created AD Groups and issued certificates for users. All working just fine, MAC OS receiving their certificates via intune, the only problem we do have is first user login for Windows domain systems. We have to pass authentication process for them first on trusted network, so they can receive their user certificates. Do you know any workaround how to bypass this step, so users will be able to grab their certificate during their first login?
Right on thanks for watching! My apologies for the delay I have been stuck on a project. To make sure I am understanding correctly, are you referring to devices that attempt to connect to your wireless network for the first time since they do not yet have a certificate to authenticate with?
@@OsbornePro Not really device, but user. For example if user never logged from his PC to domain there is no user certificate and user not able to pass authentication on RADIUS server. We created user based certificates because it is just easy to assign AD groups, we added additional feature when user receiving certain IP from certain IP pool depending from AD group, because our MAC systems not joined to domain and we need to able to filter user traffic on our Firewall for this group of users. At the moment, new user (or if user replacing his PC) should initially pass domain authentication on wired connection and once they receive user certificate they are able to connect to our EAP-TLS. Thanks again for the video, really appreciated that you covered topic with redundancy in details!
I end up with user based certificate for MAC OS (not joined to domain) and computer certificate for WINDOWS (domain joined)
Great video - does anyone have suggestions on how to import certificates to Azure joined clients. In my environment will need to leverage Intune for the GPO settings.
Thanks for watching! Importing a Root CA certificate is simple enough to do with Intune. Assigning certificates for RADIUS auth requires the Windows Server Root CA to have what windows calls SCEP configured and if devices are not domain joined you need a Standalone CA. Once that is set up and SCEP open to the internet you can set up the Intune profile to issue certs.
Thank you very much, I have a problem I applied this guide and the "HardenedWin10.ps1" script from your other video and since TLS 1.0 is disabled I can't connect via Wifi.
Is it possible to force authentication to TLS1.1?
can you help me?
Thank you
Yes great question, you can add the following registry key to use TLSv1.1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
Create the value DWORD value 0x300
TLSv1.0 would be 0xc0
TLSv1.2 would be 0xc00
I was thinking this might help your situation as well. In WIndows 7 TLSv1.2 is not turned on by default. I wrote a script to turn on TLSv1.2 usage in Windows 7 era Operating Systems
github.com/tobor88/PowerShell/blob/master/EnabledTLS1.2-Windows7.ps1
Awesome video 👍
Thanks for watching!
Does anyone know if this causes problems for Device Guard?
I’m testing it with wired and wireless. My NPS running on windows server 2022 is joined to the domain and test pc is also joined to the domain. What I want to know how the authentication can be tested? If I unlock pc put credentials ( those credentials will be checked if exists in AD so basically have to login via domain account to get access and vlan pushed form NPS)?
Basically, I want to check group membership and push vlan from NPS.(dynamic vlan assignment)
Next for eaptls , how that happens? While u login to domain joined pc or try to connect the lan cable ? Pls clarify or show the demo.
If anyone has any idea , kindly advise!
Thanks for watching! I think I understand what you are asking. I apologize if I misinterpreted and feel free to let me know.
WIRELESS TEST
To test EAP-TLS authentication out, the simplest way would be to temporarily have a WPA2-Personal SSID set up you can fall back on in case you need it.
Use the same subnet in that SSID as your WPA2-Enterprise one.
Set up your Wireless Connection Policy directly on the client instead of using GPO and/or exclude your laptop from the GPO enforcement temporarily. This will allow you to more quickly test and make changes to see what the issue might be. Make your changes and retry connecting to your WPA2-Enterprise SSID. Check the "Network Policy Server" logs on your NPS server to see why a request was rejected and to verify the request gets there.
On the client side you can view Event Viewer > Applications and Services > Microsoft > Windows > EapMethods-RasTls or EapHost to see why the RADIUS server is not being reached if issue is caused by config.
WIRED TEST
If you have a Cisco networking device acting as an Authenticator, you can use Monitor mode on some switches. This will basically audit your requests for testing purposes.
You could also configure RADIUS, None which says if the RADIUS server cannot be reached or the device cannot be found, the connection is allowed. You can then check the failed authentications on the interface your device is plugged into using the below command. Turning that interface off and on again should force a reconnect attempt the majority of the time.
# View whether a session was created on your interface
sh authentication sessions interface gigabitEthernet 1/0/1
# View auth statistics for interface
show dot1x int gi1/0/1
You can configure the quiet timer on your Cisco interface to get rechecks to happen more frequently
dot1x timeout quiet-period seconds
dot1x timeout tx-period seconds
More details on these commands can be seen in this forum community.cisco.com/t5/security-blogs/dot1x-ios-commands-overview/ba-p/4614712
I was just answering someone else's question who brought this tool to my attention, NTRadPing support.secureauth.com/hc/en-us/articles/360019651812-How-To-Test-RADIUS-Using-NTRadPing
It seems at first look like this is a PEAP authentication test. I figured I would share it with you in case it is helpful
How do you get the certificate for connecting from a mobile device such as an iPhone or android device?
Thanks for watching! For mobile devices I would suggest going with PEAP certificates associated with the user accounts. The PEAP certificates can be pushed out using an MDM (Mobile Device Management) provider. If your company has at least an E3 Office365 license this can be done with Azure's MDM.
@@OsbornePro I intend to use it with home wifi just because I can. Is it possible to do so without a mdm? For android, MacOS, Linux, and iOS
@@user-fp3mn3dw7x Yes that requires some manual configuration. Working with *nix operating systems this seems like a great resource to work from.
networkradius.com/articles/2021/10/25/EAP-production-certificates.html
You would need to manually generate the CSR on your *nix devices as the instructions cover at the above link for using EAP-TLS. If you have a windows CA issuing certs I have a script you can use to renew and set the certs on those devices afterwards.
github.com/tobor88/Bash/blob/master/update-ssl-certificate.sh
The other option would be to set up a PEAP user certificate that is exportable and install that certificate on all your devices. Then create the network profile that uses that certificate.
I found out I can generate user certificate with CertSrv and it works on android, iOS and macOS but it doesn't work on windows 10. Any idea what's missing?
@@user-fp3mn3dw7x Could you advise how you achieved this? busy trying to do this myself
Any chance of showing how to setup EAP-TLS for Android devices?
Yes please
Thanks for watching! I plan to redo this video at some point. That becomes tough because of the at home setup required but I will do what I can to include that information
I still get:
Terminate Cause The client could not be authenticated because the EAP type cannot be processed by the server.
Can I use a 3rd party CA to generate a certificate and use for EAP-TLS?
Thanks for watching! Yes you can use any CA as long as the client trusts the Root CA that issued the certificate to the RADIUS server and the RADIUS server knows it can trust the Root CA that issued the EAP-TLS certificate
@@OsbornePro Thank you!
@@OsbornePro Sorry one more question that came up. Can we just use an IIS Server in our domain to generate the CSR? And if so what type of certificate should we download from the 3rd party CA? Thanks so much.
@@HawkJ88 yes you can use IIS to generate a CSR if you want. You will need to download the Root CA certificate from the third party CA and trust it. If they have intermediate certificates you will need to trust those also.
with this, should end users devices then automatically connect once setup?
@@ryanmcguire2578 thanks for watching! Yes they will automatically connect to wifi once setup
@OsbornePro ok I had set the up previously on a different dc, and my first test user I had to hit connect for them to connect, in the cert authority should each computer have 2 certs listed?
@@ryanmcguire2578 if you have two certificates on a device capable of being used for radius auth from the same certificate authority. In your client wireless profile you define the CA that assigned the certificate to auto select from. If you have two they may prompt you to
@@OsbornePro I have my original cert authority setup on server 2016(going to decommission) which is still active and it has both certificate templates for radius server client and computer(machine) on it but my server 2022, the new CA only has the radius server client cert template listed for this user
@@OsbornePro sent you an email if you have a chance to take a look...thank you
What tls version will be used here ?
@@hichamlyaacoubi1196 thanks for watching! There is a registry value you can at on the NPS server to define what version you want to use if you want to make sure a modern one is used
support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af
Want to configure wpa3 for wireless. Plz share if releted document or video.
Thanks for watching. I would not suggest using WPA3 for wireless internet. Really the most vulnerable thing in WPA2-Personal is that someone can disrupt a network with disconnect packets and try to crack the wireless password. WPA3 still has vulnerabilities being discovered that are unable to be remediated due to issues in its foundation. One for example leaks the network password. www.pcmag.com/news/flaws-in-wi-fis-new-wpa3-protocol-can-leak-a-networks-password
watching this video … I now realize why I stick to linux
did you have for wired bro?
Sure do ruclips.net/video/CzmFhCuUj6w/видео.html
@@OsbornePro can you plz setup EAP-TLS certificate based authentication for vpn clients IKEV2 L2TP and pptp
I dont have any templates
Thanks for watching!
If you are on a client machine it may be a permission issue for you account on the certificate templates
If you are on the certificate authority restart certificate service (certsvc) and verify the service stays running and check if the templates are loaded. If this doesn't help then stop certsvc on CA. Further troubleshooting would be required from there. If possible you can retry installing the CA