Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

WPA2-Enterprise with RADIUS/Microsoft NPS and 3rd Party Certificates

Posted on 2016-11-03
5
Medium Priority
?
80 Views
Last Modified: 2016-11-13
i All - I'm hoping you can help out with a frustrating issue I'm having.  I have 2 Unifi AC Pro's and 2 SSIDs.  One that will allow all domain joined machines to join and another for other devices, such as phones and tablets that staff will authenticate using using their domain usernames and passwords.
 
I've setup PEAP using NPS following some guides I found and I've installed a cert from GoDaddy on the NPS server.  Everything works and users can authenticate, however, all devices are being prompted with certificate warnings that you have to accept to connect.  The message is slightly different depending on the device.  Windows 7 states:
 
The credentials provided by the server could not be validated.  We recommend that you terminate the connection and contact your administrator with the inforamation provided in the details.  You may still connect but doing so exposes you to security risk by a possible rogue server.
 
This cert is from a public CA, so I'm guessing I missed a step or configured something incorrectly.  The CN on the certificate is wifi.mydomain.com even though the NPS servername is actually nps.mydomain.local.  Could that be the issue?  I just used IIS on the NPS server to generate the certificate request.  What did I miss?  I have non-domain joined devices connecting so I don't want to use my own private CA.
 
I see quite a bit of forums on this topic, but they are all a few years old.  I'm hoping someone can guide me in the right direction.
 
Thanks!
0
Comment
Question by:polaris101
  • 3
  • 2
5 Comments
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41873108
What name are your wireless APs configured to use for accessing the RADIUS server? That should match what is on the certificate. So your AP configuration determines whether the certificate is valid or invalid. If you have your APs configured to use the IP of the NPS server or the internal domain name, the certificate will be invalid with a 3rd party certificate. You'd need to change the AP configuration so it uses wifi.mydomain.com and make sure they are set up to pull DNS from a server that has an A record for wifi.mydomain.com that points to NPS.
0
 

Author Comment

by:polaris101
ID: 41873118
Well my AP's use the IP address to point to the RADIUS server...unfortunately, it only accepts IP's and doesn't allow DNS names.
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41873143
Then you will likely not be able to eliminate the certificate error if you want to continue using certificate validation when connecting to wireless. The solution, though, would be to disable the setting to Validate Server Certificates in the wireless profile on the client machines. That would effectively prevent the error from popping up, but could put your client machines at risk of being hijacked by a rogue AP using the same SSID as yours and its own RADIUS authentication mechanism (The likelihood of this type of thing is remote, since it requires physical access and wouldn't actually allow attacker to compromise your network, but it could lead to some operational issues, and I like to make sure people understand the potential impact of a configuration setting modification like this).
0
 

Accepted Solution

by:
polaris101 earned 0 total points
ID: 41878862
The solution was to use an internal CA and make sure the NPS Server name matched the certificate name.  Unfortunately, since the domain is a .local this only works for domain computers.  We'll have to educate users about looking at the certificates they are trusting for the other devices.
0
 

Author Closing Comment

by:polaris101
ID: 41885231
Found answer on Ubiquiti Support Forum
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the modern office, employees tend to move around the workplace a lot more freely. Conferences, collaborative groups, flexible seating and working from home require a new level of mobility. Technology has not only changed the behavior and the expe…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question