Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, February 21, 2014 10:52 PM
I currently have a 2008r2 server with NPS acting as a radius server for our wireless network. The existing rules are setup to allow access based on windows group membership. I need to get a wireless jetdirect connected to the wifi network.
If I create a certificate for this device with key usage settings for client auth / server auth, can it authenticate to radius with that cert?
How would I set up a NPS policy to allow this device, since it's not a domain member and not a member of the windows groups?
All replies (4)
Monday, February 24, 2014 6:50 PM ✅Answered
Hi there -
I asked the NPS team about this, and following is their response:
*****
Yes, it’s possible but it’s a very manual process. I will give you the easy steps then the hard ones.
Easy(relative):
- Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
- Export the cert with the private key
- Import on all workstations/devices that require it.
Pros:
Relatively easy to create the cert and manage the account
Cons:
Single certificate used on multiple machines
Certificate does not accurately reflect the name of the device
Hard:
- Create an account in AD
- Issue a certificate from a template that allows the private key to be exported
- Using name mappings, attach the certificate to the account
- Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com
- Install certificate on to target workstation/device
Pros:
Relatively, more secure than previous steps as you create a single account/certificate pair per device
Cons:
Not very manageable
*****
Thanks -
James McIllece
Thursday, February 27, 2014 6:56 AM
Hi,
Just want to confirm the current situations.
Please feel free to let us know if you need further assistance.
Regards.
Thursday, July 10, 2014 7:50 PM
Hi there -
Following is some additional information I received today from the NPS team on this issue:
*****
You can make the hard option a little easier and reduce a couple of the steps by using a SAN entry in the certificate with a format of SAN:UPN=<hostname>$@<domain.tld>. This results in a certificate that has an NT Principle Name of <hostname>$@<domain.tld> in the SAN field which is then appropriate for authentication to the NPS as a pure computer object. The only dependency is then the creation of a computer account in Active Directory and adding it to the respective groups for AuthZ.
I’ve used that approach for 802.1x authn/authz of non-domain joined machines, the biggest pain still being cert enrolment and transfer element, although the use of NDES/SCEP can make that a little more palatable (if appropriate for the devices in question).
Thanks -
James McIllece
Thursday, October 22, 2015 6:50 AM
Hi! I know it is old question, but how should SAN looks like for computer1 in domain contoso.local for example.
?