Solved

NPS server certificates and wireless security

Posted on 2013-12-20
10
1,554 Views
Last Modified: 2013-12-27
I am setting up wireless with certificates but I am having an issue with the "Authentication Mode". If I choose "User re-authentication" under the security tab (second screenshot) it fails with the error "No credentials are available in the security package" but if I choose "Computer Authentication" it works fine.

I don't understand why I can't use "User re-authentication". Here's some screenshots to help show the configuration of NPS on Windows 2008 and the client is Windows 7 with group policy. The error at the end is from the Event Viewer.

NPS Configuration
Client Configuration
Client Configuration
Event Viewer Client error
0
Comment
Question by:MCSF
  • 5
  • 5
10 Comments
 
LVL 39

Expert Comment

by:footech
ID: 39732669
I'm wondering why you're even seeing that option.  What I see is on Win7 and 2008R2...
Authentication options
Are you trying to use user certificates or computer?
0
 

Author Comment

by:MCSF
ID: 39732880
It's Windows 2008 Datacenter. I am using Group Policy directly on that server if that's the difference?

I am not very good with the certificates to be honest. It's a "Client Authentication, Server Authentication" certficate if that helps.

What we had before was PEAP with MSCHAPv2 (instead of smart card of certificate). That worked fine but we are finding people with iDevices using their Windows username and password to logon to the wireless.

What we are trying to do is require a certificate to login. When I changed it to certificate it failed until I changed the Authentication Mode to computer authentication. I am just trying to understand why.

Ultimately we want to require both Windows and iDevices to authenticate with a certificate. I am having a hard time using the correct combination of NPS policies/conditions to catch the Windows devices in one policy and iDevices as another.

The "Windows Version" in conditions would work great but we don't run the NAP software (I am not sure on the name) required to do a Windows version check.
0
 
LVL 39

Expert Comment

by:footech
ID: 39733086
Perhaps that is the wording on 2008 machines, unfortunately I don't have any that I can see for myself.  What other options are available for the authentication mode dropdown?
For certificates, it's a matter of which entity (the user or the computer) the certificate was issued to.  It could be one or the other, or both, or neither.  Since it worked when you changed to computer authentication, then the computer must have a certificate (unless you're allowing some other authentication type through another policy on the NPS).  You can see what certificates are available for a user and the computer by opening the mmc.exe, adding the certificates snap-in.  Add it twice, one time selecting "my user accont", and then again selecting "computer account" > next > then "local computer".  The certificates will be shown in the Personal store.

This is some conjecture here, but I think you'll need to have two network policies, one for the iDevices, and one for Windows.  Set the conditions for each policy so each applies to a group (i.e. one policy applies to "idevice-group" with appropriate members, and the other policy applies to "windows-group").  The iDevice group policy should use "Microsoft: Smart card or other certificate" under Constraints > Authentication Methods (because I don't think they support PEAP-TLS, only EAP-TLS).  The Windows group policy should use "Microsoft: Protected EAP (PEAP)".
0
 

Author Comment

by:MCSF
ID: 39736421
Good morning, A picture is worth a thousand words. :) I added a screenshot to see the options available for Authentication Mode.

I also checked the version of the 2008 server which is running NPS and Group Policy and from the command line it shows 6.0.6002.

Under certificates "Certificates - Current User" it's empty. Under "Certificates (Local Computer)" there is a certificate. I posted a screenshot below. I think that is the certificate we are using.

Thank you for the tips on creating two groups/policies. I feel like I am on the right track after what you posted.

I currently do have two policies but I still don't know how to get it to work completely because some users will belong to both groups. For example Jane from Auditor's could be both a laptop user and an iDevice user. That's why I was trying to use the windows verion condition as a "net" for Windows devices and all other devices like iDevices (or possibly some other hardware/OS) as a 2nd policy.

What I have been testing with is a piece of software named "iPhone Configuration Utility" which I have been using to load the certificate and also a username and password to the device. The NPS condition is the user credentials for iDevices (which is loaded with the utility)  and the Constraints--Authentication Method is the certificate. I haven't fully tested this yet and I don't know if there's a easier/better way to do this. I was trying to think of some way to flag or group iDevices but my only condition is what group they belong to and that group membership is still based on their user credentials. Which worries for another reason too since we force password changes every 90 days.

I originally had added the Windows version check and it failed and for the life of me I couldn't figure it out until I saw that condition is reliant on the agent being loaded.

Authentication Mode options
(Local Computer) certificate
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 39736801
Thanks for the screenshots.
With there only being a computer cert, I think that explains why the user re-authentication option didn't work.  The way I understand it, the way that works is that the machine will be authenticated before a user logs in, then after login the connection should be re-authenticated with user credentials.  Since there isn't a user certificate this fails.

So what I was thinking was to only authenticate the computer, regardless of which user was using it.  So it wouldn't matter if the user was on a Windows device or an Apple device.  This is no problem for domain joined Windows machines with certificate auto-enrollment, but for iDevices it's another matter.  I would probably just create an idevice user, issue a cert to it, then export it to then deploy it to the Apple devices.  Group membership is set in AD.  Passwords won't be used so it won't matter when they expire, but the certificate will have to be renewed when it expires and then pushed out to devices.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:MCSF
ID: 39737103
Oh, ok, I think I understand for the Windows devices. For the iDevices it really doesn't matter if the password is expired or not (does it matter if the account is disabled even?). As long as the group membership is in place they should work for the NPS condition check. As for Constraints it will be a device certificate "Microsoft: smart card or other certificate". I think I saw in the iPhone Configuration Utility it does have a spot to enter PEAP information. I don't know if it works or not. The main concern will be whether or not the certificate is expired anually. Is that correct? Right now it's not many devices so I think that would work great.

After reading what you wrote I did find this on another site. I will have to give the PEAP a shot because then technically it could be just one policy to cover both Windows and iDevices since they would both use PEAP and a certificate.

---------------------------------------------------------------------------------

Does the iPad support LEAP or PEAP Wi-Fi authentication?

Apple has not mentioned whether or not the iPad will support LEAP or PEAP Wi-Fi authentication. iPhones already have EAP (Extensible Authentication Protocol) support via the iPhone Configuration Utility. Since the iPad will run iPhone OS 3.2, it's likely that support for these will be included.
 
iPhone users are limited to WEP, WPA, WPA2, WPA Enterprise, and WPA2 Enterprise when connecting to Wi-Fi networks without custom configuration profiles.
 
The iPhone Configuration Utility supports TLS, LEAP, TTLS, PEAP, and EAP-FAST.
0
 
LVL 39

Expert Comment

by:footech
ID: 39737210
It does matter if the account is enabled.  Apple devices support Peap authentication with MsChapv2, but not with certs (TLS), that's why we have to use EAP-TLS for them, and why we use two different network policies in NPS.  A policy shouldn't have both PEAP and EAP types at the same time.
Correct about the certs expiring annually (though you could issue certs that are valid for a longer period.
0
 

Author Comment

by:MCSF
ID: 39738079
Ok, that makes sense. I learned several new things from you on this project and I really appreciate all the information and help from you. I think Thursday morning I am going to start putting all the pieces together and start testing. We have half a day off today and of course tomorrow we are closed. I hope you have a great holiday and thank you again! :)
0
 
LVL 39

Expert Comment

by:footech
ID: 39738420
You're welcome.  Have a great Christmas!
0
 

Author Closing Comment

by:MCSF
ID: 39742849
Footech really went above and beyond to teach me some additional new things. A really great asset. Thank you.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now