In addition to @Marcel's post, there are always 2 different certificates involved in TLS authentication - one server and one client certificate. First, the Radius server (in our case ClearPass) sends its certificate to the client. The client checks whether it trusts this server certificate (depends on the configuration, there may be a security prompt, in Windows this can be controlled via GPO). Only then does the client send its own certificate to the Radius server. Now ClearPass checks whether it trusts this client certificate.
For Windows computers, user or computer authentication can be selected in the WLAN profile. Depending on this, you will need a user or computer certificate on the PC.
Original Message:
Sent: Feb 04, 2025 02:59 AM
From: mkk
Subject: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
Hi Avanindra,
I think it's best to break things down into parts:
- Certificate server configuration and certificate templates
- RADIUS server configuration and policies
- Endpoint configuration (deploying the root CA certificate, user/computer certificates, and 802.1X settings)
Let's focus on part 3 to determine where you are in the setup process.
- Open the Microsoft Management Console (MMC) on the client and add the Certificates snap-in for both My User Account and Computer Account.
- Check the User or Computer Certificate Store, depending on whether you're using a user or computer certificate.
- Verify that the root CA certificate is installed under Trusted Root Certification Authorities.
- Ensure that a computer or user certificate is enrolled in the Personal store.
- If you find a personal certificate, open it and verify:
- It is intended for Client Authentication (OID: 1.3.6.1.5.5.7.3.2).
- The certificate is valid and not expired.
If the certificates are correctly enrolled, we need to focus on your 802.1X WLAN settings.
However, if the computer or user certificate is missing from the Personal store, or if the purpose does not match, you will need to investigate the certificate enrollment process.
Certificate enrollment can be automated using Active Directory Group Policy Objects (GPOs).
I'll check if I have an example for you.
------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
Original Message:
Sent: Feb 03, 2025 08:12 PM
From: avanindra
Subject: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
Dear Waldemar
- I have configured Clear Pass as AAA server in my wifi controller
- defined an EAP TLS based service in aruba CPPM
- A WPA2 EAP based SSID is created in my Wifi controller
- I want to use Microsoft NPS active directory as my authentication sourceI have exported the root CA cerificate from NPS
- Placed it in trusted list of aruba CPPM; installed this certificate on my Window machine which is to be used as client
- When I try to connect this SSID I get the error that you need a certificate to sign in.It looks some how I am not installing certificate on client machine Properly
My purpose is to load this certificate on my domain laptop, so that user can connect dirctly on certificate base only
Kindly assist
Regards
Avanindra K Mishra
Original Message:
Sent: Feb 03, 2025 11:01 AM
From: Waldemar Ryll
Subject: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
Can you perhaps describe what you intend to do or whether there is a problem? Do you want to use ClearPasss as an authentication server or Microsoft NPS?
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Feb 03, 2025 06:45 AM
From: avanindra
Subject: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
Yes I am using this server as issuing CA to issue a computer or user certificate to my endpoint
regards
avanindra
Original Message:
Sent: Feb 03, 2025 04:05 AM
From: marcel koedijk
Subject: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
Are you using this server also the as issuing CA to Issue a computer or user certificate to your endpoint?
Original Message:
Sent: 2/3/2025 3:58:00 AM
From: avanindra
Subject: RE: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
Dear Mancel
I am using root ca certificate exported from windows server 2022 active directory
Original Message:
Sent: Feb 03, 2025 03:46 AM
From: mkk
Subject: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
What kind of certificate server and radius server do you like to use? Which MDM solution are you using for deploying certificates and 802.1x settings to your endpoint?
Some more information about your setup is required.
------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
Original Message:
Sent: Feb 02, 2025 12:25 PM
From: avanindra
Subject: 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
I want to test 802.1x Wireless EAP TLS authentication without windows active directory as authentication source
using windows AD root CA certificate.
I am using Windowas 11 and Linux laptop
Kindly share the steps
Thanks