Security

 View Only
  • 1.  802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 16 days ago

    I want to test 802.1x  Wireless EAP TLS authentication without windows active directory as authentication source

    using windows AD root CA certificate.

    I am using Windowas 11 and Linux laptop

    Kindly share the steps

    Thanks



  • 2.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 15 days ago

    What kind of certificate server and radius server do you like to use? Which MDM solution are you using for deploying certificates and 802.1x settings to your endpoint?

    Some more information about your setup is required.



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 3.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 15 days ago

    Dear Mancel

    I am using root ca certificate exported from windows server 2022 active directory




  • 4.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 15 days ago

    Are you using this server also the as issuing CA to Issue a computer or user certificate to your endpoint?






  • 5.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 15 days ago

    Yes I am using this server as issuing CA to issue a computer or user certificate to my endpoint

    regards

    avanindra




  • 6.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 15 days ago

    Can you perhaps describe what you intend to do or whether there is a problem? Do you want to use ClearPasss as an authentication server or Microsoft NPS?



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 15 days ago

    Dear Waldemar

    1. I have configured Clear Pass as AAA server in my wifi controller
    2. defined an EAP TLS based service in aruba CPPM
    3. A WPA2 EAP based SSID is created in my Wifi controller
    4. I want to use Microsoft NPS active directory as my authentication sourceI have exported the root CA cerificate from NPS
    5. Placed it in trusted list of aruba CPPM; installed this certificate on my Window machine which is to be used as client
    6. When I try to connect this SSID I get the error that you need a certificate to sign in.It looks some how I am not installing certificate on client machine Properly

    My purpose is to load this certificate on my domain laptop, so that user can connect dirctly on certificate base only

    Kindly assist

    Regards

    Avanindra K Mishra




  • 8.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 14 days ago
    Edited by mkk 14 days ago

    Hi Avanindra,

    I think it's best to break things down into parts:

    1. Certificate server configuration and certificate templates
    2. RADIUS server configuration and policies
    3. Endpoint configuration (deploying the root CA certificate, user/computer certificates, and 802.1X settings)

    Let's focus on part 3 to determine where you are in the setup process.

    1. Open the Microsoft Management Console (MMC) on the client and add the Certificates snap-in for both My User Account and Computer Account.
    2. Check the User or Computer Certificate Store, depending on whether you're using a user or computer certificate.
    3. Verify that the root CA certificate is installed under Trusted Root Certification Authorities.
    4. Ensure that a computer or user certificate is enrolled in the Personal store.
    5. If you find a personal certificate, open it and verify:
      • It is intended for Client Authentication (OID: 1.3.6.1.5.5.7.3.2).
      • The certificate is valid and not expired.

    If the certificates are correctly enrolled, we need to focus on your 802.1X WLAN settings.

    However, if the computer or user certificate is missing from the Personal store, or if the purpose does not match, you will need to investigate the certificate enrollment process.

    Certificate enrollment can be automated using Active Directory Group Policy Objects (GPOs).

    I'll check if I have an example for you.



    ------------------------------
    Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
    ------------------------------



  • 9.  RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source

    Posted 14 days ago

    In addition to @Marcel's post, there are always 2 different certificates involved in TLS authentication - one server and one client certificate. First, the Radius server (in our case ClearPass) sends its certificate to the client. The client checks whether it trusts this server certificate (depends on the configuration, there may be a security prompt, in Windows this can be controlled via GPO). Only then does the client send its own certificate to the Radius server. Now ClearPass checks whether it trusts this client certificate.

    For Windows computers, user or computer authentication can be selected in the WLAN profile. Depending on this, you will need a user or computer certificate on the PC.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------