NPS - Connecting to NPS RADIUS without using certificates

2012-02-18

Question

_{Saturday, February 18, 2012 1:06 PM}

Hi,

I am setting up a wireless network for work. I would like users to access wireless using RADIUS authentication from the NPS server. I have working the username and password access prompt with certificate authentication. My problem is with the certificates complexity for the user, it's difficult to install certificates on each laptop. I have two options:

Switch of the certificate authentication and only have the RADIUS username and passord to access the internet.
Somehow distribute easily the certificate keys to users laptops for installation. Most of my laptop users have low computer knowledge.

Thanks in advance.

All replies (18)

_{Tuesday, February 21, 2012 7:26 AM ✅Answered}

Hi Stokie,

Thanks for posting here.

I think by using script may will help us to achieve the goal , here is an sample for reference, once we execute the script locally, certificate should be imported to the specified certificate store on client. it seems just like what we did in SBS:

Certification File Manager
http://gallery.technet.microsoft.com/scriptcenter/Certification-File-Manager-be4a6848

Or perhaps we can get a better method form Security or Official Script Guy forum :

http://social.technet.microsoft.com/Forums/en/winserversecurity/threads

http://social.technet.microsoft.com/Forums/en/ITCG/threads

Thanks.

Tiger Li

TechNet Community Support

_{Wednesday, February 22, 2012 11:47 AM ✅Answered}

Hi,

Well I've created the Guest SSID access, it has its own VLAN and ACL's only allowing access to our Intranet webserver. This page is were the user can download the certificates. To provide a simple certificate installation package for the user I used the command line tool certutil.exe. The following command can be used to add the certificates to local store.

certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer

check out this website for creating a executable batch file

http://poweradmin.se/blog/2010/01/23/how-to-distribute-root-certificates-as-exe-files/

Since I dont have a Wireless Controller to automatically redirect the user to our Guest home page for the certificate download, then I may (also looking into alternatives) use a single Linksys WRT54G series router with is placed in our campus library with a captive portal software installed. Once the user downloads the certificates then they can use the Secure network for accessing LAN services.

Will keep this thread posted

_{Wednesday, February 29, 2012 12:11 PM ✅Answered}

Hi,

Just thought I would finalise this thread for others. So my result was as follows:

I first created a Captive Portal; well its actually a DNS re-director from http://dnsredirector.com/. I used software installed on a Windows 2008 R2 VM. I created a page that provides the Certificates installation file, see previous post.

On the WAP4410n AP I used two SSID's (guest and secure). I configured using the AP's GUI a separate VLAN for each SSID (VLAN and Qos page). The same VLAN for Guest is the same for the Captive Portal machine. Therefore only allowing access from the Guest WLAN to the Captive Portal (DNS re-director) and no other services. See http://www.definit.co.uk/2011/06/configuring-guest-wireless-network-restricted-access-production-vlans/ for information using Cisco products.

The Secure SSID is on the same VLAN as the web server, Intranet servers and NPS RADIUS machine. Once the user download the certificates and AntiVirus from the Guest WLAN they can access the secure WLAN.

Now I can use certificates easily and have a secure WLAN

Hope this helps people in the future

_{Saturday, February 18, 2012 3:01 PM}

Hi.

Are the computers in an Active Directory? In that case you should be able to use the AD:Certificate Services and enable auto certificate enrollment via GPO.

Oscar Virot

_{Saturday, February 18, 2012 6:22 PM}

Hi Mike,

I agree with Oscar, if these are AD joined laptops, you can take advantage of Autoenrollment.

If not, you can create a cert install package. If you know anyone with an SBS server, you can "borrow" the cert installer package that comes with it. It's a small utility that you can customize it by adding your cert (and the intermediate cert, if needed) to the package, distribute it by either emailing it, or making it accessible on a website, and it will install the cert(s) in the appropriate cert store. If you can gain access to an SBS 2008 or 2011 installation, the cert installer package is located at:

•Local Disk: c:\users\Public\Public Downloads
•UNC: \servername\Public\Public Downloads
•UNC: \sites\Public\Public Downloads

Here'a a thread discussing this:
Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it)
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0688c1de-8199-42cd-8e5b-911a581eb22f/

As for setting up NPS without the cert, you would have to re-configure everything to not use EAP or PEAP, and simply setup the RADIUS username and password on the AP to the NPS. There will be nothing needed on the client laptop side, since you'll only be using RADIUS auth between the RADIUS client (the AP), and the RADIUS server (NPS). The cert method provides security by authenticating clients (the cert is passed from the client to the NPS during the initial connection), but if you remove it, it will only be between the AP and NPS.

Ace

Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, February 20, 2012 5:58 AM}

Hi,

Thanks for your information. Unfortuantly non of the laptops are AD joined as they are all personal laptops and some guest ones. So I think the no certificates are an option as they only access the Internet and its not a security risk.

I've tried for a week now to configure RADIUS without certificates but the NPS server rejects the request. I am using a WAP-4410n wireless AP. I have the AP's security mode as WAP2-mixed Enterprise but what settings should I have the NPS server Authentication Methods?

Thanks

_{Monday, February 20, 2012 5:58 AM}

I have AD installed but the laptops are not part of AD

_{Monday, February 20, 2012 6:07 AM}

Here'a a thread discussing this:

Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it)
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0688c1de-8199-42cd-8e5b-911a581eb22f/

Great posting about "Network Policy Server doesn't send intermediate certificates". Thanks

_{Monday, February 20, 2012 6:21 AM}

Here'a a thread discussing this:

Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it)
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/0688c1de-8199-42cd-8e5b-911a581eb22f/

Great posting about "Network Policy Server doesn't send intermediate certificates". Thanks

I hope it helps. Many of the public CAs offer a utility to make sure that their intermediate certs are installed. I use Digicert for my customers, and it's one of the things I need to run to make sure I install Digicert's intermediate cert.

Try that SBS installer. Let us know how it works.

Ace

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, February 20, 2012 8:49 AM}

Hi Stokie,

Thanks for posting here.

It seems we are using password based authentication method so far . In this case non domain client computers must have the NPS server certificate installed locally in the Trusted Root Certification Authorities certificate store. And this can be done by manually installing by administrator or download it form web site and import it to local host:

http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/3d09809b-ca5d-4486-845d-fe061547ddba

For more information please refer to the article below:

Certificates and NPS
http://technet.microsoft.com/en-us/library/cc772401(WS.10).aspx

Thanks.

Tiger Li

TechNet Community Support

_{Monday, February 20, 2012 11:38 AM}

Hi,

Thanks Tiger for the information, some good stuffs there. So after much thought I have concluded that I have to go down the certificate route, here is my plan:

Use 2 WLAN SSID's (Guest and Secure)
Guest will use only a WAP authentication. This will allow the user to access a single Intranet page to download the certificate and our AntiVirus. I will use a seperate VLAN with ACL to access only this webpage - http://www.definit.co.uk/2011/06/configuring-guest-wireless-network-restricted-access-production-vlans/
Guest SSID will use a captive portal system to force the user to this webpage - CoovaChilli is a opensource system - http://coova.org/CoovaChilli
Once certificate is downloaded then the laptop (non-AD) can access the Secure network.

What do you think?

My problem now is how to get the user to effeciently install the certificate. What I need is a Certificate Installer Package. Previous post by Ace told me there is one in Windows SBS 2008; any idea of another method to create an installer without the use of Windows SBS.

I have tried to get users to install both the root certificate and CA certificate to allow access, but they get confused when I give the instructions to change the certificate store location, why don't the "Automatically select the certificate store based on the type of certificate" work correctly - am using Win7 client for testing purposes.

Thanks

_{Tuesday, February 21, 2012 12:04 PM}

Hi Tiger,

Great idea on the Certification File Manager. I will set on to creating this system, may take a day or two. Will post my results here once I have tried the script.

Thanks again

_{Wednesday, February 29, 2012 5:11 PM}

Glad to hear you've come up with a solution and especially sharing it with us.

Cheers!

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

_{Sunday, June 10, 2012 9:25 AM}

I am new here.

I need more about the same for NPS RADIUS on win 2008 R2 for domain and non domain wireless clients.

Is it possible to send me step by step detailed information to set up this solution.

Thanks

_{Sunday, September 9, 2012 11:00 AM}

Hi Harish,

Sorry did not see your post. Did you still need the setup information?

Mike

_{Sunday, September 9, 2012 2:11 PM}

Mike,

Is it possible you can post a step by step doc on this to help others?

Thanks!

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Monday, September 10, 2012 7:26 AM}

Hi,

Great idea, I will get one posted very soon, I hope you can give me comments back once posted.

Mike

_{Monday, September 10, 2012 7:31 AM}

Absolutely. And thank you!

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Share via

NPS - Connecting to NPS RADIUS without using certificates

Question

All replies (18)

Additional resources