Security

We are in the process of trying to set up a wireless network that uses NPS servers to authenticate domain users with computers that are not on our domain (BYOD).

 

We are using a valid, wildcard SSL (with intermediate certificates) to authenticate via PEAP.  The certificate was issued by Godaddy.

When trying to connect, we are getting the authentication request.

 

The result of a connection attempt is no connection with an event log error code of - “265: The certificate chain was issued by an authority that is not trusted.”

 

We have tried ensuring that the certificates are in the correct containers on the respective NPS servers: “Certificates\Personal\Certificates”

 

With the intermediate certificates located: “Certificates/Intermediate Certification Authorities”

All these attempts have proven fruitless.  Any assistance or direction would be very much appreciated.

You should not use wildcard certificates as a RADIUS certificate.

Thank you for your speedy reply.

Are you familiar with any documentation that indicates such?  I ask only because I am going to be asked to justify the need for 4 new, independant SSL certs.  I would need to present why using a wildcard will not work.

 

Many kind thanks,

 

~Bill

Don't have any formal documentation but Windows clients will refuse a wildcard RADIUS server certificate (as they should; wildcard certs are a security nightmare)

Forgive my ignorance here: It was my orignal intent to use individual SSL's but, I found that I couldn't find the proper place to generate the CSR, as these NPS servers don't have IIS configured as a role.

 

Do I need to configure IIS and generate the CSR there?  Is there a more appropriate place from which I should generate the CSR?  I don't seem to have any luck finding documentation on this particular issue.

 

Thank you for all your willingness to help.

You can generate a CSR on any server with either IIS or openSSL. Just be sure to export the private key along with the cert so you can import it on the NPS server. You can use the same cert on all of your NPS boxes.

Again, many thanks for your helpfulness.

 

Godaddy always includes an intermediate certificate.  Is it necessary to export/import that one, as well?  If so, what certificate container does it need to go into?  

 

Much appreciated,

 

~Bill

 

 

If the NPS server doesn't already have the intermediate cert, you would install it on the NPS server in the intermediate cert store.

As Tim points out, don't use WILDCARD cert with Windows devices..... this is actually documented in my CPPM PKI 101 TechNote.

 

You can find a copy here (soon to be re-published).... 

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

So, we purchased and imported a new SSL (with the private key) and still receiving the same error message and behavior.

The certificate is issued by Godaddy and has been imported to each of the RADIUS servers providing authentication.

 

Any thoughts on what I should check next?

 

Again, all help is very much appreciated.

You may need to add the chain to the manual settings in the network config. I had a cert from starfield and had the same issue and fixed it by adding the root CA cert to be pushed with the profile. You will get multiple prompts during the onboarding to add the extra certs instead of just the one. 

 

 

Answered

---

@victorfabian wrote:
Is this for windows devices ?

---

Yes sir.