NPS server certificates and wireless security

I am setting up wireless with certificates but I am having an issue with the "Authentication Mode". If I choose "User re-authentication" under the security tab (second screenshot) it fails with the error "No credentials are available in the security package" but if I choose "Computer Authentication" it works fine.

I don't understand why I can't use "User re-authentication". Here's some screenshots to help show the configuration of NPS on Windows 2008 and the client is Windows 7 with group policy. The error at the end is from the Event Viewer.

NPS Configuration
Client Configuration
Client Configuration
Event Viewer Client error
Who is Participating?

Improve company productivity with a Business Account.Sign Up

footechConnect With a Mentor Commented:
Thanks for the screenshots.
With there only being a computer cert, I think that explains why the user re-authentication option didn't work.  The way I understand it, the way that works is that the machine will be authenticated before a user logs in, then after login the connection should be re-authenticated with user credentials.  Since there isn't a user certificate this fails.

So what I was thinking was to only authenticate the computer, regardless of which user was using it.  So it wouldn't matter if the user was on a Windows device or an Apple device.  This is no problem for domain joined Windows machines with certificate auto-enrollment, but for iDevices it's another matter.  I would probably just create an idevice user, issue a cert to it, then export it to then deploy it to the Apple devices.  Group membership is set in AD.  Passwords won't be used so it won't matter when they expire, but the certificate will have to be renewed when it expires and then pushed out to devices.
I'm wondering why you're even seeing that option.  What I see is on Win7 and 2008R2...
Authentication options
Are you trying to use user certificates or computer?
MCSFAuthor Commented:
It's Windows 2008 Datacenter. I am using Group Policy directly on that server if that's the difference?

I am not very good with the certificates to be honest. It's a "Client Authentication, Server Authentication" certficate if that helps.

What we had before was PEAP with MSCHAPv2 (instead of smart card of certificate). That worked fine but we are finding people with iDevices using their Windows username and password to logon to the wireless.

What we are trying to do is require a certificate to login. When I changed it to certificate it failed until I changed the Authentication Mode to computer authentication. I am just trying to understand why.

Ultimately we want to require both Windows and iDevices to authenticate with a certificate. I am having a hard time using the correct combination of NPS policies/conditions to catch the Windows devices in one policy and iDevices as another.

The "Windows Version" in conditions would work great but we don't run the NAP software (I am not sure on the name) required to do a Windows version check.
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Perhaps that is the wording on 2008 machines, unfortunately I don't have any that I can see for myself.  What other options are available for the authentication mode dropdown?
For certificates, it's a matter of which entity (the user or the computer) the certificate was issued to.  It could be one or the other, or both, or neither.  Since it worked when you changed to computer authentication, then the computer must have a certificate (unless you're allowing some other authentication type through another policy on the NPS).  You can see what certificates are available for a user and the computer by opening the mmc.exe, adding the certificates snap-in.  Add it twice, one time selecting "my user accont", and then again selecting "computer account" > next > then "local computer".  The certificates will be shown in the Personal store.

This is some conjecture here, but I think you'll need to have two network policies, one for the iDevices, and one for Windows.  Set the conditions for each policy so each applies to a group (i.e. one policy applies to "idevice-group" with appropriate members, and the other policy applies to "windows-group").  The iDevice group policy should use "Microsoft: Smart card or other certificate" under Constraints > Authentication Methods (because I don't think they support PEAP-TLS, only EAP-TLS).  The Windows group policy should use "Microsoft: Protected EAP (PEAP)".
MCSFAuthor Commented:
Good morning, A picture is worth a thousand words. :) I added a screenshot to see the options available for Authentication Mode.

I also checked the version of the 2008 server which is running NPS and Group Policy and from the command line it shows 6.0.6002.

Under certificates "Certificates - Current User" it's empty. Under "Certificates (Local Computer)" there is a certificate. I posted a screenshot below. I think that is the certificate we are using.

Thank you for the tips on creating two groups/policies. I feel like I am on the right track after what you posted.

I currently do have two policies but I still don't know how to get it to work completely because some users will belong to both groups. For example Jane from Auditor's could be both a laptop user and an iDevice user. That's why I was trying to use the windows verion condition as a "net" for Windows devices and all other devices like iDevices (or possibly some other hardware/OS) as a 2nd policy.

What I have been testing with is a piece of software named "iPhone Configuration Utility" which I have been using to load the certificate and also a username and password to the device. The NPS condition is the user credentials for iDevices (which is loaded with the utility)  and the Constraints--Authentication Method is the certificate. I haven't fully tested this yet and I don't know if there's a easier/better way to do this. I was trying to think of some way to flag or group iDevices but my only condition is what group they belong to and that group membership is still based on their user credentials. Which worries for another reason too since we force password changes every 90 days.

I originally had added the Windows version check and it failed and for the life of me I couldn't figure it out until I saw that condition is reliant on the agent being loaded.

Authentication Mode options
(Local Computer) certificate
MCSFAuthor Commented:
Oh, ok, I think I understand for the Windows devices. For the iDevices it really doesn't matter if the password is expired or not (does it matter if the account is disabled even?). As long as the group membership is in place they should work for the NPS condition check. As for Constraints it will be a device certificate "Microsoft: smart card or other certificate". I think I saw in the iPhone Configuration Utility it does have a spot to enter PEAP information. I don't know if it works or not. The main concern will be whether or not the certificate is expired anually. Is that correct? Right now it's not many devices so I think that would work great.

After reading what you wrote I did find this on another site. I will have to give the PEAP a shot because then technically it could be just one policy to cover both Windows and iDevices since they would both use PEAP and a certificate.


Does the iPad support LEAP or PEAP Wi-Fi authentication?

Apple has not mentioned whether or not the iPad will support LEAP or PEAP Wi-Fi authentication. iPhones already have EAP (Extensible Authentication Protocol) support via the iPhone Configuration Utility. Since the iPad will run iPhone OS 3.2, it's likely that support for these will be included.
iPhone users are limited to WEP, WPA, WPA2, WPA Enterprise, and WPA2 Enterprise when connecting to Wi-Fi networks without custom configuration profiles.
The iPhone Configuration Utility supports TLS, LEAP, TTLS, PEAP, and EAP-FAST.
It does matter if the account is enabled.  Apple devices support Peap authentication with MsChapv2, but not with certs (TLS), that's why we have to use EAP-TLS for them, and why we use two different network policies in NPS.  A policy shouldn't have both PEAP and EAP types at the same time.
Correct about the certs expiring annually (though you could issue certs that are valid for a longer period.
MCSFAuthor Commented:
Ok, that makes sense. I learned several new things from you on this project and I really appreciate all the information and help from you. I think Thursday morning I am going to start putting all the pieces together and start testing. We have half a day off today and of course tomorrow we are closed. I hope you have a great holiday and thank you again! :)
You're welcome.  Have a great Christmas!
MCSFAuthor Commented:
Footech really went above and beyond to teach me some additional new things. A really great asset. Thank you.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.