topic Re: Radius Authentication | Check on certificate and users in Wireless

Radius Authentication | Check on certificate and users

FrancescodeRosa — Mon, 21 Oct 2024 09:34:13 GMT

Hi everyone.

Recently, I’ve been running some tests on my NPS server for RADIUS authentication with my Meraki access points.

My goal is to authenticate via RADIUS only computers with a certificate issued by my CA and users who belong to a specific domain group.

Right now, the certificate authentication is working but i can't find a way to add a check on the domain groups.

Do you have any tips?

Thank you

Re: Radius Authentication | Check on certificate and users

Philip D'Ath — Mon, 21 Oct 2024 10:36:24 GMT

Your NPS policy will need to match "Domain Computers", and whatever group the users are in.

You'll need to configure group policy to do Computer and User authentication.

You'll need to configure group policy to issue certificates both to the computers and the users.

Re: Radius Authentication | Check on certificate and users

Brash — Tue, 22 Oct 2024 00:55:17 GMT

I could be wrong but I think when you authenticate using PEAP/EAP-TLS with machine certificates, you can't perform user/group based checks as that information isn't passed onto the RADIUS server.

You can probably do it with user certificates though.

Re: Radius Authentication | Check on certificate and users

Philip D'Ath — Tue, 22 Oct 2024 01:15:45 GMT

Windows machines that join AD have a machine account. When you use machine based certificate authentication, they present that certificate in the same way that a user does.

NPS then extracts the username name from that certificate (weather it be user or machine), and checks that it is allowed access.

Re: Radius Authentication | Check on certificate and users

FrancescodeRosa — Tue, 22 Oct 2024 07:48:02 GMT

So, the suggestion is to create a template for a certificate for the user as well and perform the verification on both certificates? Correct?

Re: Radius Authentication | Check on certificate and users

Philip D'Ath — Tue, 22 Oct 2024 08:40:05 GMT

Correct. You should have both a computer and a user certificate template.

Re: Radius Authentication | Check on certificate and users

FrancescodeRosa — Tue, 22 Oct 2024 09:38:52 GMT

Ok, but I have a doubt.
Where do I specify that my NPS server must verify both certificates and not just one? Within the configuration, I don’t see a way to select more than one certificate."

Re: Radius Authentication | Check on certificate and users

Philip D'Ath — Tue, 22 Oct 2024 09:41:52 GMT

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate. You need a product like Cisco ISE to do that.

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.