How do I secure WPA2-Enterprise / Radius using certificates
Hi,
As far as I understand our current set-up:-
We have a WPA2 Enterprise wireless solution. The AP's act as Radius Clients and connecting devices use PEAP to connect valid domain users via RADIUS (currently running on Server 2012 R2) using their domain credentials.
There is a server-side certificate which I believe is used for encrypting the session.
I have been asked to move to a pure certificate based solution (i.e. certificate on both server and client and no more authentication necessary) and I am not sure how best to set this up. We have our own PKI.
Can anyone point me in the direction of any good quality information about how I would set RADIUS up to work in this way?
I have noticed an unchecked box in Radius that says "Disconnect Clients without Cryptobinding" but I can't find a lot of documentation about what that means and what checking it would change.
I have also noticed that we are using the Domain Users group to validate users, but imagine we could use Domain Computers instead. How secure would that be? Does the device actually do some authentication or could another device with the same name connect with that setting?
I've also seen a number of things indicating that MS-CHAP and MS-CHAP-V2 are essentially worthless. so how do I avoid using these?
If anyone can point me at any great documentation for setting something like this up in a more secure way, I would find that really helpful.
Not an expert in these areas, so any pointers or explanations appreciated!
Thanks!
Jon
As far as I understand our current set-up:-
We have a WPA2 Enterprise wireless solution. The AP's act as Radius Clients and connecting devices use PEAP to connect valid domain users via RADIUS (currently running on Server 2012 R2) using their domain credentials.
There is a server-side certificate which I believe is used for encrypting the session.
I have been asked to move to a pure certificate based solution (i.e. certificate on both server and client and no more authentication necessary) and I am not sure how best to set this up. We have our own PKI.
Can anyone point me in the direction of any good quality information about how I would set RADIUS up to work in this way?
I have noticed an unchecked box in Radius that says "Disconnect Clients without Cryptobinding" but I can't find a lot of documentation about what that means and what checking it would change.
I have also noticed that we are using the Domain Users group to validate users, but imagine we could use Domain Computers instead. How secure would that be? Does the device actually do some authentication or could another device with the same name connect with that setting?
I've also seen a number of things indicating that MS-CHAP and MS-CHAP-V2 are essentially worthless. so how do I avoid using these?
If anyone can point me at any great documentation for setting something like this up in a more secure way, I would find that really helpful.
Not an expert in these areas, so any pointers or explanations appreciated!
Thanks!
Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! Looks great. Will work through that.
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_EAP-TTLS___PAP_Authentication_on_Windows_8_and_10
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements
Not able to find any good blogs with pictures anymore, mainly eap-mschapv2 --- but post screenshots if you're in doubt somewhere along the way