Certificate Recommendations - NPS

  • 1
  • Question
  • Updated 11 months ago
I set up a test Network Policy to try WPA2 against our internal NPS.  I believe everything is set up correctly in terms of authentication because it is working fine for just about every client type except Windows.

On a Win7 workstation it appears that I am unable to connect due to a certificate error.  Everything looks fine at the NPS end and watching in the Client Monitor in HiveManager I can see that credentials are passed.  But on the client in the Event Viewer I see an SChannel error indicating a certificate was received from an untrusted certificate authority.

In a BYOD environment this is going to present some challenges.  

Right now I have simply used the RAS and IAS Server template for the certificate.  I'm not very well versed in setting up/managing SSL certificates and am wondering if anyone out there has any suggestions with respect to getting this to work with Windows Clients.
Photo of Tony Andrews

Tony Andrews

  • 52 Posts
  • 5 Reply Likes

Posted 11 months ago

  • 1
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
We use certificates to ensure only corporate owned devices are able to connect to our 802.1x SSID, as they are authenticated to the domain and use the DCs' cert. Have you considered PPSK for BYOD authentication?  
Photo of Tony Andrews

Tony Andrews

  • 52 Posts
  • 5 Reply Likes
Just an update...  It appears this issue is Windows 7 related.  We tried a Win 10 client and were able to connect.   On a Win7 client we get an SChannel error in the event viewer indicating that an untrusted certificate was sent from the NPS server and so the SSL connection failed.

On every other device we have the option just trust the certificate.  Not so with Win7.
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
So this sounds like you are not in a Windows domain or don't have a proper PKI setup. What you need to do is either import the certificate into the Windows Trusted Root Certification store (recommended), or change the security settings in the PEAP properties of the wireless profile properties to NOT "Validate server certificate" (not recommended). The later is not recommended as it leaves a security vector that could be exploited.

If you were in a Windows AD domain with your PKI setup, you would have group policy set to import the certificate into the Trusted Root store for all your domain joined Windows devices. There are ways to script this too if you are not in a Windows domain.
Photo of Tony Andrews

Tony Andrews

  • 52 Posts
  • 5 Reply Likes
Thanks Bill...  We do indeed have a Windows domain, but obviously in a BYOD environment this will not be the case for client devices trying to connect.  The users themselves are in AD, but not the devices.   I actually found a pretty good response (by Rusty Wyatt) to a similar issue from this thread:

https://community.aerohive.com/aerohive/topics/3rd_party_certificate

And I think it applies in this case.   Pretty much everything but Windows 7 clients will allow the connection with some form of dialog that give the user the option to trust the certificate.  If I export the certificate and import it on a Windows 7 client I am able to connect.  This is obviously not a practical solution when I have no ownership or control over clients.

In our environment it is important to have users associated to the wireless network via some form of AD authentication so that their activity on the network is associated with their AD username in our content filter.  We were using CWP through iBoss to do this previously, but for some reason this functionality broke quite badly last year leaving users a bit irritated.  RADIUS was the next best option because iBoss has the agents to monitor users authenticated this way.

I'm not sure PPSK is going to do what we need... but I will have to read up a bit more.  Alternatively, as Rusty suggested in the post referenced above, I may have to look at an Aerohive CWP that does 802.1x authentication on an Open SSID.  

So many options... 
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
OK. If we are talking BYOD, I would just have them not validate the certificate. Unfortunately Windows 7 does not automatically prompt you to trust the certificate, or even tell you that is the problem. What you can do is create instructions for your users on how to make the settings change that will allow them to connect.

On the Win 7 device, go to the "Properties" of your SSID. Then select the "Security" tab.  Then click the "Settings" button next to the "Microsoft Protected EAP (PEAP)" drop down.  In the window that pops up, uncheck the "Validate server certificate" checkbox".  *This is the setting that is causing the problem* Then click the "Configure" button next to the "Secured password (EAP-MSCHAP v2)" drop down.  In the window that pops up, uncheck the box to "Automatically use my Windows logon name and password (and domain if any)." and click "OK".  Then click "OK". Then select the "Advanced settings" button.  In the window that pops up, check the box for "Specify authentication mode" and select "User authentication" from the drop down box and click "OK".  Now when they try to connect to your SSID, they will be prompted for a username and password and their device will not have an issue with your certificate.

I know it seems like a lot of steps, but it actually only takes a minute to do.  And if you have screenshots for the users, it makes it very easy.  I can think of 2 alternatives to this, both of which cost money. One, you could find and purchase an on-boarding solution that will take care of this for you by forcing the user to import your certificate. Or two, you could purchase a cert for your RADIUS server from one of the major providers that are already in the trusted root store.  It's a matter of how much money you want to invest to support BYOD devices running an OS that is no longer supported.
Photo of Tony Andrews

Tony Andrews

  • 52 Posts
  • 5 Reply Likes
Thanks for the reply Bill.   I think this is probably our best... most secure ... option.  The users are ours... the devices are not.  If they don't have AD credentials they don't get in.   Given the fact that most devices are going to be smart phones and other non-windows mobile devices I don't this will be too big a deal.

I may consider the certificate purchase option.   However, it is not clear to me what type of certificate I should get or even where it gets installed on the NPS server.  Any suggestions on this front?
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
Sorry Tony, I cannot help you on that. We've never looked into it as we have 170+ RADIUS servers and don't want to pay for that many certs (can't use wildcard cert for RADIUS). And we don't have many BYOD Windows laptops. For the few that we do encounter, we have instructions for them on how to connect.