+ Post New Thread
Results 1 to 4 of 4
Wireless Networks Thread, WPA2 Enterprise Computer Authentication in Technical; Hi all, Was wondering if anyone has managed to get WPA2 Enterprise Authentication working with NPS. I've been asked by ...
  1. #1
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,520
    Thank Post
    37
    Thanked 501 Times in 432 Posts
    Rep Power
    113

    WPA2 Enterprise Computer Authentication

    Hi all,

    Was wondering if anyone has managed to get WPA2 Enterprise Authentication working with NPS.

    I've been asked by the council to look at replacing the county wide WPA2 PSK for the schools wifi with Certificates.

    We don't have a county wide AD, so we'd be running a server in county all who's sole job will be to authenticate the WPA2 requests.

    I was under the impression you can set this up by using certificates, create 1 per school and issue that the schools to install on devices.

    But I'm at a loss on how to get this working.

    Managed to get the certificates, NPS installed, WPA2 SSID setup, RADIUS proxied to NPS from the Wifi points, but I can't get devices to connect to it.

    Any help would be great

  2. #2

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    394
    That's what I use, but not in the same way you describe. Our machines all use individual computer certificates from our AD's certificate authority. I believe this is how most people do it.

    That said, who you've described sounds like it can be made to work. In my experience this tends to be more difficult to set up on the clients than on the server. If the certificate is in the user certificate store rather than computer store and the config is set to use computer configuration, it will fail. Or vice-versa. Can you describe how you've set the clients up and which store the cert is in?

  3. #3
    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,520
    Thank Post
    37
    Thanked 501 Times in 432 Posts
    Rep Power
    113
    There is no centralized AD, so each school usually has it's own AD.

    The plan would be to install an AD at top level, create a user for each school, create a certificate for those users, give that certificate to the schools to install on devices (via Group Policy), then use Group Policy to connect to the WPA2 Network for internal Access.

    Now I've managed to get certificates working (needed to log on as the user and create the certificate, I think I've missed some optional attributes that are needed in the certificate request), so that works, don't know if it works on a computer level yet though.

    Separate SSID for BYOD, this is WPA2 Enterprise again, RADIUS requests are to a different IP, so use IP filtering on the connection request, NPS inspects the username, figures which school it came from (domain\username) and forwards the RADIUS request to the local schools RADIUS server.

  4. #4

    Join Date
    Oct 2012
    Posts
    9
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Be careful! It could easily be considered to be professionally negligent to deploy it with a certificate shared among all devices in a school if that is what you intend.
    Nothing would be achieved over just using a PSK.

    Ensure that you are using one certificate per device with individual enrolment, don't reuse credentials.
    A primary purpose of WPA2-Enterprise is to get away from this aspect of WPA2-Personal.
    It's a massive accountability, auditability and security nightmare waiting to happen otherwise.
    Think about what would happen if you needed to revoke it, and the logistical steps required to correct and resolve it redistributing credentials.

    You should have a certificate server per school to generate a certificate derived from that sites root on a per-device basis where you don't have federation.
    Last edited by nicklowe; 2nd February 2014 at 08:32 AM.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 0
    Last Post: 1st October 2013, 10:59 AM
  2. old computers needed for enterprise day
    By serendipity in forum General Chat
    Replies: 0
    Last Post: 30th June 2011, 02:56 PM
  3. Replies: 11
    Last Post: 10th February 2010, 12:48 PM
  4. Replies: 3
    Last Post: 9th February 2009, 10:00 PM
  5. Replies: 4
    Last Post: 26th June 2008, 01:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •