Radius authentication with NPS on Windows 2008 server

  • 1
  • Question
  • Updated 3 years ago
  • Answered

Hello dear Aerohivefriends,

I'm IT-manager in a secondary school. We are deploying our Aerohive-WiFi and we're facing a problem. We want to use our Windows 2008 NPS Radius server to authenticate users on their own devices (BYOD). We use PEAP-MSCHAPv2. The problem is the self-signed certificate.

Mac-OS devices can authenticate, they only get a warning that is it "insecure". Windows 7 (not-domain devices) are getting an error, they can't connect at all. We've found out that disabling "validate server certificate" on the WiFi-client is a workaround. Unfortunately, non of my collegues (+/- 400) nor students (+/- 3000) has the skills to connect this way. It has to be very easy and foolproof.

I've read a lot of discussions on this forum, but I can't find the right answer.

My NPS-server FQDN is srvadm01.coltd.be (so NOT .local). Do I have to order a SSL-certificate (GoDaddy) for this FQDN? Are there any special requirements for this certificate? Do I just have to change my self-signed certificate into this signed-cerficate on my NPS-server? Is there a manual for this procedure?

Can anyone confirm that this problem disappears when I buy a standard SSL-certificate (+/- € 60/year)? What behaviour can be expected on my Windows 7 not-domain clients?

I have a SSL-certificate for my mailserver (mail.coltd.be). I've read on this forum that the FQDN of the NPS-server is not important (https://community.aerohive.com/aerohive/topics/802_1x_authentication_with_heterogenous_clients), so I tried with this SSL-certificate but this procedure doesn't work at all. Is this normal behaviour?

Thanks a lot!

Thomas Hoste
Belgium

Photo of Thomas Hoste

Thomas Hoste

  • 6 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Dear Thomas,

It is best (not not essential) to get a certificate for your coltd.be domain and not the FQDN of your server(s). There is certainly no dependency/link to the server's name conceptually.

If you tried with a certificate for your mail server and it failed, it could be that:
  • The client's supplicant was misconfigured in some way.
  • The client does not have the root or an intermediary to that root certificate installed.
  • The certificate doesn't meet the requirements.
  • Something else is going wrong...
The general requirements for a certificate based on real world experience can be found here:

https://confluence.terena.org/display/H2eduroam/EAP+Server+Certificate+considerations

Look at "Consideration 2: Recommended certificate properties".

There is no requirement to use a commercial CA, the only benefit from doing so comes from the need to otherwise distrubute the public key of a self-signed root certificate.

Because of the difficulty of getting the supplicant configured correctly outside of environments like a Windows network with Group Policy, especially for BYOD, tools such as eduroam's CAT exist that are free and open source:

https://cat.eduroam.org/

This can be modified to work with other SSIDs.

Are you able to give us screenshots of your client's configuration and a packet capture in the air (EAPOL) or at the RADIUS server (RADIUS) and post it somewhere so that we can see what's going on?

Nick

(Edited)
Photo of Thomas Hoste

Thomas Hoste

  • 6 Posts
  • 1 Reply Like

Hello Nick,

Thanks a lot for your reply. We got it working right now! I think we did "something" wrong while exporting/importing the SSL-mailserver-certificate into our Radius-server.

My BYOD-devices receive a warning, but my users can simply click on "connect". That solves our problem.

Greetings,

Thomas


Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The issue you have now though is that your security is effectively weaker than WPA2-Personal with a PSK for such clients as the certificate is not being constrained to a root and a name.
(Edited)
Photo of Thomas Hoste

Thomas Hoste

  • 6 Posts
  • 1 Reply Like

Hey Nick,

OK...well, all we want is that our students/collegues can authorize with their own active-directory-credentials when they use our WiFi-network with their own device. Our students/collegues don't have any basic IT-skill, so the authorization must be VERY simple.

What does Aerohive suggests in this case? Why is this type of authorization unsafe?

Thanks for your help!

Thomas

Photo of Rusty Wyatt

Rusty Wyatt, Technical Support Engineer

  • 14 Posts
  • 15 Reply Likes
Thomas,

I addressed some of these concerns in another post recently:

https://community.aerohive.com/aerohive/topics/3rd_party_certificate

-Rusty


Photo of J. Goodnough

J. Goodnough, Champ

  • 266 Posts
  • 32 Reply Likes
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
I am dealing with this problem now ..... same problem.  I was thinking about using NPS server and AD credentials for teachers and students / staff logging to Aerohive wifi network. Most of the devise are not bound to AD; however, everyone has AD account. Most of are APPLE products with some Android , chromebooks, etc...
Photo of Thomas Hoste

Thomas Hoste

  • 6 Posts
  • 1 Reply Like
Hello, strangly enough, I've solved this issue by using a SSL-certificate of our mailserver! We bought an ssl-certificate by Godaddy for a https-connection to our Exchange. We've exported this ssl-certificate from your mailserver and imported it in our NPS-server. On Apple devices, we get an warning that the certificate is not secure (of course), but we can simply click "continue" and it works. Not the right way, I know, but the cheapest :) .