Solved

Windows Server 2012 CA and Radius

Posted on 2014-12-20
13
335 Views
Last Modified: 2014-12-22
I recently had a self signed certificate expire that I am using for Wireless clients using PEAP. I renewed the certificate and it shows in the clients certificate store but they receive this error while trying to connect:

The server presented a valid certificate issued by "MY CA" but CA is not configured as a valid trust anchor for this profile.

I show the correct certificate under the PEAP config on the Radius server and it is also listed in Active Directory's NTAUTH store when I view the AD container in Enterprise PKI. Any ideas what would be causing this?
0
Comment
Question by:phil435
  • 6
  • 4
  • 3
13 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
When renewing the self-signed certificate, did you use the same key, or did you elect to use a new key?  The newly renewed CAs certificate needs to be published in the AD as a trusted CA. The issue is further related to the certificate having to be imported into the clients for it to be trusted.  Often, the means to avoid such things requires the renewal to occur way before the expiration to allow for the new certificate to find its way onto the client. This is often dealt with staggering two CA levels, root CA, and issuing CA. The root CA certificate is valid for 10-20 years which is added as a trusted CA. It then issues a issuing CA certificate to a subordinate CA which will be used to issue client certificates.  The subordinate CA certificate is usually valid between 3 and 7 years. The client CErtificates are between one and three years.

The newCA  certificate needs to be loaded into the router/switches.
Presumably, the client certificates have also expired and had to be renewed with the newly renewed CA.
The certificate that exists has a different
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
I think maybe the cert you're looking at in the client store is the old cert?

You'll need to either:

1] import the new self-signed cert into each client, or
2] configure each client to not validate the server certificate.

Option 1 is what you're after by the sound of it, as it appears your clients are validating the RADIUS server's cert during the authentication phase.
0
 
LVL 2

Author Comment

by:phil435
Comment Utility
Thanks for the comments guys. I have been watching AD cert services over on Pluralsight to get me up to speed on Cert services in Windows Server 2012 R2. When I setup Radius for my wireless clients before it was on Server 2003 and I followed a guide without really understanding CA services. I upgraded my Server 2003 domain to 2012 and imported my CA and Radius settings. Everything worked fine until the root CA cert expired. Here's is what I've learned so far:

I am running Enterprise Root CA which is integrated into AD.
I have renewed my Root CA which expired and now have a signing cert which is valid for the next 5 years.
I am in a small AD environment so my CA above is the only CA and it assigns the certs as well.
My NPS server is using PEAP which I assume its cert became invalid once the Root CA expired.
I did not have the RAS and IAS template available on my root CA in Server 2012.

So my questions are as follows:
How does the NPS server request a new Cert to use?
Since this is AD integrated should these not automatically get pushed down to the clients?
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
If the clients are members of the AD, and you add the new cert into the GPO it will be.

http://msdn.microsoft.com/en-us/library/cc754198.aspx

deals with templates/auto-enrollment policies.
0
 
LVL 2

Author Comment

by:phil435
Comment Utility
Ok great. I followed the link and created a template based on RAS IAS. However when I look on the CA I don't see any certificates that have been issued based on RAS IAS. There are other certs for this server which is also my DC listed but none with the RAS IAS profile that I created.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
you need to look at the GPO for auto-enrollment settings.

Setting the template only means that it is available, it does not automatically deploy its use.

What devices are clients of your NPS/RAS IAS?  Check them to make sure they have the new certificate.  Devices, might not have the option to auto-enroll/receive the updated CA certificate.

i.e. you have a firewall (Cisco ASA/ Juniper/Sonicwall, etc.) that is configured with certificate and radius...  The certificate that they have is the expired one. you need to add the new certificate's public portion added as trusted.  To avoid this in the future, the common suggestion is to renew the root certificate/signing certificate at the 50% of life mark. this will allow you to issue new certificates based on the renewed certificate expiration date. and this will also allow you time to update the various devices with the new certificate in a more controlled manner.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Author Comment

by:phil435
Comment Utility
This is just for my wireless clients to authenticate them to my corporate network. The Cisco 1142 does not use the cert. It just passes my Win7 clients to the ra server for authentication. Its the win 7 clients that have been giving me the error about the trust anchor. I'm headed to test it out now. This is the only thing I'm using the cert server for.
0
 
LVL 2

Author Comment

by:phil435
Comment Utility
Ok, so the trust anchor message only came up when I was choosing the wrong cert. If I chose the root cert I would get this error. I ended up uninstalling AD cert services and reinstalling. I then followed the KB article mentioned above by Arnold to recreate the profile and setup the auto enrollment. I had to run gpupdate on the server and it recreated the certificates. The only confusing thing was trying to choose the correct cert in NPS PEAP. I had three to choose from and they all had the same name since the server created one for Kerberos, NPS, and another service. I wonder if there is a way to distinguish these in NPS or do I have to pick until my clients start working.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
In the selection, it should identify the purpose of the cert or identify it by ID, not sure which cert columns are displayed in your selection interface.
0
 
LVL 2

Author Comment

by:phil435
Comment Utility
When you select the cert in NPS server it doesn't show the purpose or ID. However, it does display friendly name and I found out that I can go into the certificate store and add the friendly name. It has not updated this yet in the NPS server so I'm not sure if it's a refresh issue or what. Thanks for the helpful links on this.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
OP didn't tell us you had your own PKI!!
0
 
LVL 2

Author Comment

by:phil435
Comment Utility
My apologies. I assumed since my title was 2012 CA and I mentioned Enterprise PKI that it would be assumed I had my own PKI. Again, sorry for the confusion.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
No worries.  I was just wondering why you mentioned...

I recently had a self signed certificate

You could have a CA that you want to use, but previously had a self-signed cert, so I was a bit unsure.  Similarly, you could have added the self-signed cert into your CA to push it to clients via GPO.
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Suggested Solutions

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now