02 October 2012

WiFi Certificate Based Authentication

To secure a WiFi network it is important to authenticate the users or device.  This article will cover the components and  configuration required to authenticate and allow WiFi access based on either the User certificate or the computer certificate.  You will need the following:

  • Internal CA
  • WiFi Controller
  • NPS (RADIUS Server)
  • Client computer

Internal CA
To have a certificate based WiFi authentication method you need to have an internal Certificate Authority (CA)  Because of the sheer number of certificates that will be issued it is generally not feasible to use a public CA

You will need to define two templates.  One template will be used for user validation while the second will be used for computer validation.   The Certificate should have the following Application Policies specified in the certificate template Extensions tab.  These will show up in the Certificate's Enhanced key Usage.
User certificate
  Client Authentication (1.3.6.1.5.5.7.3.2)
Computer Certificate 
  Client Authentication (1.3.6.1.5.5.7.3.2)
  Server Authentication (1.3.6.1.5.5.7.3.1)

Deciding on how to deploy the certificate does not affect how the rest of the implementation fits together.  It is however a great streamline option to allow Auto Enroll and Auto Renew for either or both of the certificate templates.  Controlling access on AD groups is much simpler than manually enrolling users and machines on demand.

WiFi Controller
Since the client machines will be connecting to the WiFi network these requests will get handled by a Wireless Network controller or router.  There are various options here but the common factor that we will be using is the ability to authenticate using RADIUS.
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service
Essentially what happens is that the WiFi controller hands off the authentication to the RADIUS server and only gets back a Yes or No answer as to grant or deny access. Since this is a two step authentication we need to configure both the Wifi Controller and the RADIUS Server.

The steps below are for a Cisco 5500 Controller but should have similar corresponding setting to any other.

Configure Wifi Controller as RADIUS Client

  • Select Security
  • Expand AAA
  • Expand RADIUS - Authnetication
  • Click New to add and additional RADIUS server
  • Specify the IP address
  • Specify a shared secret (password that has to be configured on the RADIUS server too)
  • All the other default values can be used




Configure WLAN

  • Select the WLAN or SSID you want to configure to use RADIUS
  • Select the security TAB
  • Select Layer 2
  • Security Type  should be WPA+WPA2



  • Select AAA Servers
  • Under the RADIUS servers section select the server added earlier
  • Apply to save the configuration
  • Click Save Configuration




NPS RADIUS Server
The Network Policy Server role in Windows Server allows it to be a RADIUS server.  This role needs to be added to the server.

Configure the WifiController as RADIUS Client
  • From the Network Policy Server Console
  • Expand RADIUS Clients and servers
  • Select RADIUS Clients
  • Right Click  - New
  • Specify the details of the WiFi Controllers including the shared secret defined earlier.  



Configure Connection Request Policies
  • From the Network Policy Server Console
  • Expand Policies
  • Right Click Connection Request Policies - New
  • Name: Secure Wireless Connections
  • Type of Server : Unspecified
  • Add Conditions : NAS Port Type = Wireless - IEEE 802.11

Configure Network Policy (User certificate) 
  • From the Network Policy Server Console
  • Expand Policies
  • Right Click Network Policies - New
  • Name: Secure Wireless User Certificate
  • Type of server:  Unspecified
  • Add Condition : User Groups (the users group you want to allow to authenticate)
  • Access Granted
  • EAP Types: Add Microsoft:  Smart Card or other certificate
  • Uncheck all the less secure methods

Configure Network Policy (Computer certificate) 
  • From the Network Policy Server Console
  • Expand Policies
  • Right Click Network Policies - New
  • Name: Secure Wireless Compouter Certificate
  • Type of server:  Unspecified
  • Add Condition : Machine Groups (the users group you want to allow to authenticate)
  • Access Granted
  • EAP Types: Add Microsoft:  Smart Card or other certificate
  • Uncheck all the less secure methods

These policies should now be processed first.  If you prefer the computer certificate then specify the computer certificate policy first.


This will accept either a user certificate or a computer certificate.  Once a policy is matched no further rules are processed. If you specified both constraints in a single policy then both certificates would be required to authenticate.

WiFi Client Computer
All the back end infrastructure should now be set up and configured correctly.  The configuration below allows you to test your deployment.  In practice these setting can be globally deployed using group policy.
  • Open the network and Sharing  Centre
  • Click Manage Wireless Networks
  • Select the SSID of your WifiNetwork and open properties
  • Select the Security Tab
These settings will now be configured to match the WiFi controller and NPS to ensure the authentcatio process works.
  • Security Type: WPA2-Enterprise
  • Encryption type AES
  • Authnetication Method: Microsoft Smart card oe other certificate
  • Click Advanced
  • Check Specify authentication mode
  • To use the user certificate select User Authentication OR
  • To use the computer certificate select Computer Authentication 

When connecting to the WiFi network you should now be able to authenticate and connect.

Logging
All the authnetication attempt and result are logged by the NPS.  To view the authentication open the Event Viewer - Windows Logs - Security  Successfull connection are logg with Event ID 6278 and 6272.  Check the Event message you will be able to see if the user certificate or the computer certificate was used.






No comments:

Post a Comment