Radius Server Authentication for non-domain laptop users and mobile devices

Hello Team,

I want to know the configuration details for the below requirements.

I want to setup a Radius server on Windows Server 2012 R2 STD configured with AD, DNS, DHCP, NPS, CA, IIS etc. to connect Ubiquity (AC Pro)Wireless SSID on non-domain laptop and mobile devices (android and Iphone) using an External certificate.  but the condition is the mobile users or laptop users should not have any authority to copy/export  this certificate to another devices.

please help me on this case. thanks in advance
Rebi SadasivanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jackie Man IT ManagerCommented:
You need a solution which makes use of user-specific client certificates, so that you can configure your GlobalProtect portal to act as a Simple Certificate Enrollment Protocol (SCEP) client to a SCEP server in your enterprise PKI.

https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/authentication/set-up-client-certificate-authentication/deploy-user-specific-client-certificates-for-authentication
Rebi SadasivanAuthor Commented:
Thank you Jackie. i read the article. but using this the certificate is based on user level right? not in device level, please correct me if i am wrong.
Jackie Man IT ManagerCommented:
Yes.

SCEP is on user level instead of device level.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Rebi SadasivanAuthor Commented:
Anyone please help me to get an idea, how we can issue device certificate on mobile device to access wifi via radius, users shud not have any access to copy or export the certificate.. mobile iron MDM can be a solution?
arnoldCommented:
Honce the certificate is given, you lack control.
What you can do is use 802.1x to authorize devices based on Mac that will then use a secondary validation of the cert.

Radius uses the MAC address, the certificate is to authenticate/verify. Over a secure channel.
arnoldCommented:
When issuing client certs limit the period for which they are valid, a day.
Rebi SadasivanAuthor Commented:
Arond, thanks for the reply. But in that way if we specifically issue a certificate, then import export happened in mobile devices. Then user can share the certificate. That's the reason. I'm looking an external CA to create device certificate like godaddy or MobileIron.. please anyone have experience on external CA?
Jackie Man IT ManagerCommented:
Even the user can export or copy the cert, they cannot use the cert on another device as the cert is only valid on the device which is issued for the cert.
Rebi SadasivanAuthor Commented:
Yes Jackie I understand, but if the user is away or left the office and if we didint revoke the certificate for some reason or due to n number of users, still he can use the certificate and network. So my IT head is specifically mentioned not to copy or export cert from user side. I think this is a hard way to find a solution.
Jackie Man IT ManagerCommented:
Even if the user can copy or export the cert, he cannot use the cert on another device. The cert is only valid on the device enrolled by the user with his credential.

What you want is to limit which device a user can use?

In such case, you need a MDM solution which you have full control on what devices are allowed in your network.

However, it might be troublesome for the users as they cannot do self-enrollment of their devices and you need to approve their request one by one and push a MDM profile to their devices before they are can use the wifi network.

After all, any solution should be user-centric instead of device-centric unless all of your devices are owned by your company and your users only use them like using a kiosk.
Rebi SadasivanAuthor Commented:
Jackie, so we don't need any 3rd party software to create certificate, revoke certificate and enroll device ?
arnoldCommented:
How does a non-ad user obtain a certificate for their device?
How do you authorize external devices to access your wifi, for what duration is the certificate issued?
Rebi SadasivanAuthor Commented:
All users have AD credentials, they can access the wifi via radius server through normal device certificate by AD security group and AD credentials, but these users have mobile devices and those devices we cannot add in security group as the platform is different , so we need to issue 3rd party device certificate to deploy through NPS. This is what I understand and this is our exact requirement.Please correct if I m wrong.
Rebi SadasivanAuthor Commented:
Certificate Duration is depends like 2-5 yers
Jackie Man IT ManagerCommented:
Yes, you need third party MDM solution like Cisco Meraki if you want strict control on the devices.

https://documentation.meraki.com/SM/Profiles_and_Settings/Configuration_Settings
Rebi SadasivanAuthor Commented:
Thank you Jackie, let me go thru the article..
Rebi SadasivanAuthor Commented:
Anyone here who is expert in Microsoft Intune MDM to issue device certificate on android and iphone to access corporate Wi-Fi.
Jian An LimSolutions ArchitectCommented:
Jackie Man IT ManagerCommented:
Do you need further help?
Rebi SadasivanAuthor Commented:
Hello everyone, im dissapointed. my manager is telling. we dont need to use a 3rd party certificate authority or MDM, within windows 2012 R2 STD, we can make this ready for mobile devices, certificate issue and revoke is possible without any 3rd party help. anyone please help me.
arnoldCommented:
You can issue certificates to external devices that have a one day expiration.
Rebi SadasivanAuthor Commented:
only one day we can? why like that. but i dont want the certificate to be export and import on device, auto install is possible?
Jackie Man IT ManagerCommented:
You need to send the cert to the user and ask them to import the cert in their mobile device.

What you want will not work without spending a cent.
arnoldCommented:
When the certificate is import, if you or other employees are performing the import, not marking the certificate/private key as exportable will prevent the user from exporting the certificate.
Rebi SadasivanAuthor Commented:
auto certificate install is possible?
arnoldCommented:
Not with non-ad users.

Presumably a person arrives at your location.
You generate a certificate for the user's device, you transfer the certificate including public key, PFX pkcs#12
Import the certificate, making sure the mark key exportable is not selected.
Once complete, the certificate can not be transferred.as the private key can not be exported.
Rebi SadasivanAuthor Commented:
for ad users mobile(android and ios) is possible without export and import( auto)

suppose if we have 200 staffs without ad use, export and import is a big task. please reply
Jackie Man IT ManagerCommented:
for ad users mobile(android and ios) is possible without export and import( auto)

No

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rebi SadasivanAuthor Commented:
for ad users mobile(android and ios) is possible without export and import( auto)

for the above- do you have any proper article or steps? if yes please.

i have Windows Server 2012 R2 STD with DC, DNS,DHCP, NPS, CA on it. also ubiquiry AC Pro access point.

please help.
Rebi SadasivanAuthor Commented:
Why my question closed?
arnoldCommented:
A comment was selected as a solution.
Reqport the question and a moderator will re-open.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
MobileIron

From novice to tech pro — start learning today.