Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

Windows Server 2012 CA and Radius

I recently had a self signed certificate expire that I am using for Wireless clients using PEAP. I renewed the certificate and it shows in the clients certificate store but they receive this error while trying to connect:

The server presented a valid certificate issued by "MY CA" but CA is not configured as a valid trust anchor for this profile.

I show the correct certificate under the PEAP config on the Radius server and it is also listed in Active Directory's NTAUTH store when I view the AD container in Enterprise PKI. Any ideas what would be causing this?
0
phil435
Asked:
phil435
  • 6
  • 4
  • 3
1 Solution
 
arnoldCommented:
When renewing the self-signed certificate, did you use the same key, or did you elect to use a new key?  The newly renewed CAs certificate needs to be published in the AD as a trusted CA. The issue is further related to the certificate having to be imported into the clients for it to be trusted.  Often, the means to avoid such things requires the renewal to occur way before the expiration to allow for the new certificate to find its way onto the client. This is often dealt with staggering two CA levels, root CA, and issuing CA. The root CA certificate is valid for 10-20 years which is added as a trusted CA. It then issues a issuing CA certificate to a subordinate CA which will be used to issue client certificates.  The subordinate CA certificate is usually valid between 3 and 7 years. The client CErtificates are between one and three years.

The newCA  certificate needs to be loaded into the router/switches.
Presumably, the client certificates have also expired and had to be renewed with the newly renewed CA.
The certificate that exists has a different
0
 
Craig BeckCommented:
I think maybe the cert you're looking at in the client store is the old cert?

You'll need to either:

1] import the new self-signed cert into each client, or
2] configure each client to not validate the server certificate.

Option 1 is what you're after by the sound of it, as it appears your clients are validating the RADIUS server's cert during the authentication phase.
0
 
phil435Author Commented:
Thanks for the comments guys. I have been watching AD cert services over on Pluralsight to get me up to speed on Cert services in Windows Server 2012 R2. When I setup Radius for my wireless clients before it was on Server 2003 and I followed a guide without really understanding CA services. I upgraded my Server 2003 domain to 2012 and imported my CA and Radius settings. Everything worked fine until the root CA cert expired. Here's is what I've learned so far:

I am running Enterprise Root CA which is integrated into AD.
I have renewed my Root CA which expired and now have a signing cert which is valid for the next 5 years.
I am in a small AD environment so my CA above is the only CA and it assigns the certs as well.
My NPS server is using PEAP which I assume its cert became invalid once the Root CA expired.
I did not have the RAS and IAS template available on my root CA in Server 2012.

So my questions are as follows:
How does the NPS server request a new Cert to use?
Since this is AD integrated should these not automatically get pushed down to the clients?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
arnoldCommented:
If the clients are members of the AD, and you add the new cert into the GPO it will be.

http://msdn.microsoft.com/en-us/library/cc754198.aspx

deals with templates/auto-enrollment policies.
0
 
phil435Author Commented:
Ok great. I followed the link and created a template based on RAS IAS. However when I look on the CA I don't see any certificates that have been issued based on RAS IAS. There are other certs for this server which is also my DC listed but none with the RAS IAS profile that I created.
0
 
arnoldCommented:
you need to look at the GPO for auto-enrollment settings.

Setting the template only means that it is available, it does not automatically deploy its use.

What devices are clients of your NPS/RAS IAS?  Check them to make sure they have the new certificate.  Devices, might not have the option to auto-enroll/receive the updated CA certificate.

i.e. you have a firewall (Cisco ASA/ Juniper/Sonicwall, etc.) that is configured with certificate and radius...  The certificate that they have is the expired one. you need to add the new certificate's public portion added as trusted.  To avoid this in the future, the common suggestion is to renew the root certificate/signing certificate at the 50% of life mark. this will allow you to issue new certificates based on the renewed certificate expiration date. and this will also allow you time to update the various devices with the new certificate in a more controlled manner.
0
 
phil435Author Commented:
This is just for my wireless clients to authenticate them to my corporate network. The Cisco 1142 does not use the cert. It just passes my Win7 clients to the ra server for authentication. Its the win 7 clients that have been giving me the error about the trust anchor. I'm headed to test it out now. This is the only thing I'm using the cert server for.
0
 
phil435Author Commented:
Ok, so the trust anchor message only came up when I was choosing the wrong cert. If I chose the root cert I would get this error. I ended up uninstalling AD cert services and reinstalling. I then followed the KB article mentioned above by Arnold to recreate the profile and setup the auto enrollment. I had to run gpupdate on the server and it recreated the certificates. The only confusing thing was trying to choose the correct cert in NPS PEAP. I had three to choose from and they all had the same name since the server created one for Kerberos, NPS, and another service. I wonder if there is a way to distinguish these in NPS or do I have to pick until my clients start working.
0
 
arnoldCommented:
In the selection, it should identify the purpose of the cert or identify it by ID, not sure which cert columns are displayed in your selection interface.
0
 
phil435Author Commented:
When you select the cert in NPS server it doesn't show the purpose or ID. However, it does display friendly name and I found out that I can go into the certificate store and add the friendly name. It has not updated this yet in the NPS server so I'm not sure if it's a refresh issue or what. Thanks for the helpful links on this.
0
 
Craig BeckCommented:
OP didn't tell us you had your own PKI!!
0
 
phil435Author Commented:
My apologies. I assumed since my title was 2012 CA and I mentioned Enterprise PKI that it would be assumed I had my own PKI. Again, sorry for the confusion.
0
 
Craig BeckCommented:
No worries.  I was just wondering why you mentioned...

I recently had a self signed certificate

You could have a CA that you want to use, but previously had a self-signed cert, so I was a bit unsure.  Similarly, you could have added the self-signed cert into your CA to push it to clients via GPO.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now