cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
807
Views
0
Helpful
5
Replies

Wireless Certificates

NetworkGuy!
Level 1
Level 1

All

We are using psk for our wireless corporate ssid (internal) which I want to change to certificate based

 

Can i

- install this using Win Server 2016?

- Install self signed cert or need something from Globalsign or Verisign?

- what precautions do i need to take?

- any blogs explaining how to do this?

- can this be implemented on Meraki, if yes how?

 

Sorry first post - excuse me:)

Thanks

 

1 Accepted Solution

Accepted Solutions

Well there's a difference in wireless auth versus logon auth.

A common setup is to have your machines using either their own certificate (EAP-TLS) or just joined to the wireless using EAP-PEAP all the time. This allows you them to always be connected to receive updates etc.

When a user goes to logon they can still then authenticate to the network/AD with their normal credentials outside of the Wireless process which is just a standard logon as if they are wired in. This means you are still authenticating each user who logs on but they don't worry about the auth to wireless because that is done by the machine account.

Ric
-----------------------------
Please rate helpful / correct posts

View solution in original post

5 Replies 5

Ric Beeching
Level 7
Level 7

Meraki actually have some really good documentation on this:

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

 

- install this using Win Server 2016?

 

Yes you can use NPS within server 2016

 

- Install self signed cert or need something from Globalsign or Verisign?

 

You can test with self signed to start with (requires client to manually trust it or import to the trusted certificates location). If all your devices are controlled through something like group policy then you don't need to buy a certificate from a third party as you can simply deploy the certificate through group policy. If you want all devices to trust it by default without controlling them then you may want to look at a third party certificate, yes.

 

- what precautions do i need to take?

 

Never give out the private key for your certificate, even if it is just a self signed one.

 

- any blogs explaining how to do this?

 

See link above

 

- can this be implemented on Meraki, if yes how?

 

See link above

 

Ric

-----------------------------
Please rate helpful / correct posts

Thanks very much for quick reply

 

Yes planning to use NPS and roll out using Group Policy

 

But for my understanding, when do you use self signed cert and when do you use 3rd party cert?

 

I would like the cert to be issued per user name and not machine level - is this doable? if yes any blogs how to do it?

 

Thanks

 

The topic of certificates can go very in depth so I'll try to keep it fairly light for both of our sanity.

Let's say you go to connect to any company WiFi that runs a form of EAP authentication that uses server certificates only with credentials (PEAP MSCHAPv2) which is extremely common. After entering credentials successfully the device/user will be presented the certificate by the server to say 'this is my identifier, please trust me'. With the correct third party certificate, many devices will trust them by default and not present to the client for additional approval. With any certificate that is 'self-signed' by a local NPS server, the device will see this certificate and say 'hey I don't trust this issuer, I will ask my user to validate they want to trust it' and it gets presented to the user to choose.

If you manage all your machines then you can use a self-signed certificate that is deployed to all machines via GPO and this is then trusted. A mechanism called "validate CA" within group policy is a useful feature as it tells the devices to still check that the certificate is valid even if it is within their trusted store.

Now, your second question opens up a can of worms. In order to do per-device or per-user certificates you are talking about EAP-TLS which requires much more work than EAP-TLS, but is ultimately more secure. You have to use services such as OSCP to enroll devices/users with certificates which can then be used in a bi-directional trust transaction with your NPS server.

In terms of blogs.. Rasika has some info on his but there's so many moving parts I don't think it can easily be covered off in a single post.
https://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/

My advice here is unless you have a specific requirement for TLS, or a server team that can assist you with the setup and deployment of TLS certificates, use PEAP MSCHAPv2.
-----------------------------
Please rate helpful / correct posts

Thanks for this

 

so if I go with PEAP MSCHAPv2, I can use this certificate on all machines but with user credetials?

 

Whereas EAP TLS - the certificate is generated per user, is my understanding right?

Well there's a difference in wireless auth versus logon auth.

A common setup is to have your machines using either their own certificate (EAP-TLS) or just joined to the wireless using EAP-PEAP all the time. This allows you them to always be connected to receive updates etc.

When a user goes to logon they can still then authenticate to the network/AD with their normal credentials outside of the Wireless process which is just a standard logon as if they are wired in. This means you are still authenticating each user who logs on but they don't worry about the auth to wireless because that is done by the machine account.

Ric
-----------------------------
Please rate helpful / correct posts
Review Cisco Networking for a $25 gift card