![](/uploads/1/2/5/7/125767654/244786949.jpg)
You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for server certificates that are enrolled to servers running Network Policy Server (NPS). Example RADIUS Configuration (Windows NPS + AD) The following example configuration outlines how to set up Windows NPS as a RADIUS server, with Active Directory acting as a userbase: Add the Network Policy Server (NPS) role to Windows Server. Add a trusted certificate to NPS. Add APs as RADIUS clients on the NPS server.
Hi,I am setting up a wireless network for work. I would like users to access wireless using RADIUS authentication from the NPS server. I have working the username and password access prompt with certificate authentication. My problem is with the certificatescomplexity for the user, it's difficult to install certificates on each laptop.
I have two options:. Switch of the certificate authentication and only have the RADIUS username and passord to access the internet. Somehow distribute easily the certificate keys to users laptops for installation. Most of my laptop users have low computer knowledge.Thanks in advance.
Hi,Well I've created the Guest SSID access, it has its own VLAN and ACL's only allowing access to our Intranet webserver. This page is were the user can download the certificates. To provide a simple certificate installation package for the user I used thecommand line tool certutil.exe.
The following command can be used to add the certificates to local store. Certutil -addstore -f -enterprise -user root%tmp%rootca.cercheck out this website for creating a executable batch fileSince I dont have a Wireless Controller to automatically redirect the user to our Guest home page for the certificate download, then I may (also looking into alternatives) use a single Linksys WRT54G series router with is placed in our campus library witha captive portal software installed. Once the user downloads the certificates then they can use the Secure network for accessing LAN services.Will keep this thread posted. Hi,Just thought I would finalise this thread for others. So my result was as follows:I first created a Captive Portal; well its actually a DNS re-director from. I used software installed on a Windows 2008 R2 VM. I created a page that provides the Certificates installation file, see previous post.On the WAP4410n AP I used two SSID's (guest and secure).
I configured using the AP's GUI a separate VLAN for each SSID (VLAN and Qos page). The same VLAN for Guest is the same for the Captive Portal machine. Therefore only allowing access from the Guest WLANto the Captive Portal (DNS re-director) and no other services. See for information using Cisco products.The Secure SSID is on the same VLAN as the web server, Intranet servers and NPS RADIUS machine. Once the user download the certificates and AntiVirus from the Guest WLAN they can access the secure WLAN.Now I can use certificates easily and have a secure WLANHope this helps people in the future. Hi Mike,I agree with Oscar, if these are AD joined laptops, you can take advantage of Autoenrollment.If not, you can create a cert install package.
If you know anyone with an SBS server, you can 'borrow' the cert installer package that comes with it. It's a small utility that you can customize it by adding your cert (and the intermediate cert, if needed)to the package, distribute it by either emailing it, or making it accessible on a website, and it will install the cert(s) in the appropriate cert store. If you can gain access to an SBS 2008 or 2011 installation, the cert installer package is located at:.Local Disk: c:usersPublicPublic Downloads.UNC: Downloads.UNC: DownloadsHere'a a thread discussing this:Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it).As for setting up NPS without the cert, you would have to re-configure everything to not use EAP or PEAP, and simply setup the RADIUS username and password on the AP to the NPS.
There will be nothing needed on the client laptop side, since you'll only beusing RADIUS auth between the RADIUS client (the AP), and the RADIUS server (NPS). The cert method provides security by authenticating clients (the cert is passed from the client to the NPS during the initial connection), but if you remove it, it will onlybe between the AP and NPS.AceAce FekayMVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003Microsoft Certified TrainerMicrosoft MVP - Directory Services Complete List of Technical Blogs:This posting is provided AS-IS with no warranties or guarantees and confers no rights. Hi,Thanks for your information. Unfortuantly non of the laptops are AD joined as they are all personal laptops and some guest ones.
So I think the no certificates are an option as they only access the Internet and its not a security risk.I've tried for a week now to configure RADIUS without certificates but the NPS server rejects the request. I am using a WAP-4410n wireless AP. I have the AP's security mode as WAP2-mixed Enterprise but what settings should I have the NPS server AuthenticationMethods?Thanks. Here'a a thread discussing this:Network Policy Server doesn't send intermediate certificates (you have to manually install it, such as using GPO or the SBS installer utility if you can get a hold of it)Great posting about 'Network Policy Server doesn't send intermediate certificates'. ThanksI hope it helps. Many of the public CAs offer a utility to make sure that their intermediate certs are installed. I use Digicert for my customers, and it's one of the things I need to run to make sure I install Digicert's intermediate cert.Try that SBS installer.
Let us know how it works.AceAce FekayMVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003Microsoft Certified TrainerMicrosoft MVP - Directory Services Complete List of Technical Blogs:This posting is provided AS-IS with no warranties or guarantees and confers no rights. Hi Stokie,Thanks for posting here.It seems we are using password based authentication method so far. In this case non domain client computers must have the NPS server certificate installed locally in the Trusted Root Certification Authorities certificate store. And this can be done by manuallyinstalling by administrator or download it form web site and import it to local host:For more information please refer to the article below:Certificates and NPSThanks.Tiger LiTiger LiTechNet Community Support. Hi,Thanks Tiger for the information, some good stuffs there.
So after much thought I have concluded that I have to go down the certificate route, here is my plan:. Use 2 WLAN SSID's ( Guest and Secure). Guest will use only a WAP authentication.
This will allow the user to access a single Intranet page to download the certificate and our AntiVirus. I will use a seperate VLAN with ACL to access only this webpage -.
Guest SSID will use a captive portal system to force the user to this webpage - CoovaChilli is a opensource system -. Once certificate is downloaded then the laptop (non-AD) can access theSecure network.What do you think?My problem now is how to get the user to effeciently install the certificate. What I need is a Certificate Installer Package. Previous post by Ace told me there is one in Windows SBS 2008; any idea of another method to create an installer without the useof Windows SBS.I have tried to get users to install both the root certificate and CA certificate to allow access, but they get confused when I give the instructions to change the certificate store location, why don't the 'Automatically select the certificate store basedon the type of certificate' work correctly - am using Win7 client for testing purposes.Thanks.
Hi,Well I've created the Guest SSID access, it has its own VLAN and ACL's only allowing access to our Intranet webserver. This page is were the user can download the certificates. To provide a simple certificate installation package for the user I used thecommand line tool certutil.exe.
![Microsoft Microsoft](http://nolabnoparty.com/wp-content/uploads/2013/04/radiusad02.jpg)
The following command can be used to add the certificates to local store. Certutil -addstore -f -enterprise -user root%tmp%rootca.cercheck out this website for creating a executable batch fileSince I dont have a Wireless Controller to automatically redirect the user to our Guest home page for the certificate download, then I may (also looking into alternatives) use a single Linksys WRT54G series router with is placed in our campus library witha captive portal software installed.
Once the user downloads the certificates then they can use the Secure network for accessing LAN services.Will keep this thread posted. Hi,Just thought I would finalise this thread for others.
So my result was as follows:I first created a Captive Portal; well its actually a DNS re-director from. I used software installed on a Windows 2008 R2 VM. I created a page that provides the Certificates installation file, see previous post.On the WAP4410n AP I used two SSID's (guest and secure).
I configured using the AP's GUI a separate VLAN for each SSID (VLAN and Qos page). The same VLAN for Guest is the same for the Captive Portal machine.
Therefore only allowing access from the Guest WLANto the Captive Portal (DNS re-director) and no other services. See for information using Cisco products.The Secure SSID is on the same VLAN as the web server, Intranet servers and NPS RADIUS machine.
Once the user download the certificates and AntiVirus from the Guest WLAN they can access the secure WLAN.Now I can use certificates easily and have a secure WLANHope this helps people in the future.
![](/uploads/1/2/5/7/125767654/244786949.jpg)