Radius Server Authentication for non-domain laptop users and mobile devices

Rebi Sadasivan
Rebi Sadasivan used Ask the Experts™
on
Hello Team,

I want to know the configuration details for the below requirements.

I want to setup a Radius server on Windows Server 2012 R2 STD configured with AD, DNS, DHCP, NPS, CA, IIS etc. to connect Ubiquity (AC Pro)Wireless SSID on non-domain laptop and mobile devices (android and Iphone) using an External certificate.  but the condition is the mobile users or laptop users should not have any authority to copy/export  this certificate to another devices.

please help me on this case. thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jackie Man IT Manager
Top Expert 2010

Commented:
You need a solution which makes use of user-specific client certificates, so that you can configure your GlobalProtect portal to act as a Simple Certificate Enrollment Protocol (SCEP) client to a SCEP server in your enterprise PKI.

https://docs.paloaltonetworks.com/globalprotect/8-0/globalprotect-admin/authentication/set-up-client-certificate-authentication/deploy-user-specific-client-certificates-for-authentication

Author

Commented:
Thank you Jackie. i read the article. but using this the certificate is based on user level right? not in device level, please correct me if i am wrong.
Jackie Man IT Manager
Top Expert 2010

Commented:
Yes.

SCEP is on user level instead of device level.
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Author

Commented:
Anyone please help me to get an idea, how we can issue device certificate on mobile device to access wifi via radius, users shud not have any access to copy or export the certificate.. mobile iron MDM can be a solution?
Distinguished Expert 2017

Commented:
Honce the certificate is given, you lack control.
What you can do is use 802.1x to authorize devices based on Mac that will then use a secondary validation of the cert.

Radius uses the MAC address, the certificate is to authenticate/verify. Over a secure channel.
Distinguished Expert 2017

Commented:
When issuing client certs limit the period for which they are valid, a day.

Author

Commented:
Arond, thanks for the reply. But in that way if we specifically issue a certificate, then import export happened in mobile devices. Then user can share the certificate. That's the reason. I'm looking an external CA to create device certificate like godaddy or MobileIron.. please anyone have experience on external CA?
Jackie Man IT Manager
Top Expert 2010

Commented:
Even the user can export or copy the cert, they cannot use the cert on another device as the cert is only valid on the device which is issued for the cert.

Author

Commented:
Yes Jackie I understand, but if the user is away or left the office and if we didint revoke the certificate for some reason or due to n number of users, still he can use the certificate and network. So my IT head is specifically mentioned not to copy or export cert from user side. I think this is a hard way to find a solution.
Jackie Man IT Manager
Top Expert 2010

Commented:
Even if the user can copy or export the cert, he cannot use the cert on another device. The cert is only valid on the device enrolled by the user with his credential.

What you want is to limit which device a user can use?

In such case, you need a MDM solution which you have full control on what devices are allowed in your network.

However, it might be troublesome for the users as they cannot do self-enrollment of their devices and you need to approve their request one by one and push a MDM profile to their devices before they are can use the wifi network.

After all, any solution should be user-centric instead of device-centric unless all of your devices are owned by your company and your users only use them like using a kiosk.

Author

Commented:
Jackie, so we don't need any 3rd party software to create certificate, revoke certificate and enroll device ?
Distinguished Expert 2017

Commented:
How does a non-ad user obtain a certificate for their device?
How do you authorize external devices to access your wifi, for what duration is the certificate issued?

Author

Commented:
All users have AD credentials, they can access the wifi via radius server through normal device certificate by AD security group and AD credentials, but these users have mobile devices and those devices we cannot add in security group as the platform is different , so we need to issue 3rd party device certificate to deploy through NPS. This is what I understand and this is our exact requirement.Please correct if I m wrong.

Author

Commented:
Certificate Duration is depends like 2-5 yers
Jackie Man IT Manager
Top Expert 2010

Commented:
Yes, you need third party MDM solution like Cisco Meraki if you want strict control on the devices.

https://documentation.meraki.com/SM/Profiles_and_Settings/Configuration_Settings

Author

Commented:
Thank you Jackie, let me go thru the article..

Author

Commented:
Anyone here who is expert in Microsoft Intune MDM to issue device certificate on android and iphone to access corporate Wi-Fi.
Jian An LimSolutions Architect
Top Expert 2016

Commented:
Jackie Man IT Manager
Top Expert 2010

Commented:
Do you need further help?

Author

Commented:
Hello everyone, im dissapointed. my manager is telling. we dont need to use a 3rd party certificate authority or MDM, within windows 2012 R2 STD, we can make this ready for mobile devices, certificate issue and revoke is possible without any 3rd party help. anyone please help me.
Distinguished Expert 2017

Commented:
You can issue certificates to external devices that have a one day expiration.

Author

Commented:
only one day we can? why like that. but i dont want the certificate to be export and import on device, auto install is possible?
Jackie Man IT Manager
Top Expert 2010

Commented:
You need to send the cert to the user and ask them to import the cert in their mobile device.

What you want will not work without spending a cent.
Distinguished Expert 2017

Commented:
When the certificate is import, if you or other employees are performing the import, not marking the certificate/private key as exportable will prevent the user from exporting the certificate.

Author

Commented:
auto certificate install is possible?
Distinguished Expert 2017

Commented:
Not with non-ad users.

Presumably a person arrives at your location.
You generate a certificate for the user's device, you transfer the certificate including public key, PFX pkcs#12
Import the certificate, making sure the mark key exportable is not selected.
Once complete, the certificate can not be transferred.as the private key can not be exported.

Author

Commented:
for ad users mobile(android and ios) is possible without export and import( auto)

suppose if we have 200 staffs without ad use, export and import is a big task. please reply
IT Manager
Top Expert 2010
Commented:
for ad users mobile(android and ios) is possible without export and import( auto)

No

Author

Commented:
for ad users mobile(android and ios) is possible without export and import( auto)

for the above- do you have any proper article or steps? if yes please.

i have Windows Server 2012 R2 STD with DC, DNS,DHCP, NPS, CA on it. also ubiquiry AC Pro access point.

please help.

Author

Commented:
Why my question closed?
Distinguished Expert 2017

Commented:
A comment was selected as a solution.
Reqport the question and a moderator will re-open.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial