Securing RADIUS with EAP-TLS [Windows Server 2019]

I was actually thinking about that recently. I am going to be looking into Azures MDM to see if I can accomplish getting enrolled devices an assigned certificate for usage with EAP-TLS. I know Apple devices are capable of it up to TLSv1.2. I have not implemented it before but will let you know if I get it figured out. The company that I am looking at this for has an E3 license which is a little more limited than the E5 with InTune so it may or may not be possible with that license.

@@OsbornePro we do have intune licensing, my challenge is going to be around spinning up a trial Cisco ISE (staying away from prod for safety reasons), crossing fingers for smooth sails.

@@OsbornePro btw, this still does not address an Evil Twin attack correct? I'd imagine this protects the authentication piece, but everything will not be tunneled.

@@tacom6 That is a good question I should have thought to include when setting up the AD wireless profile. If the users do not have the ability to accept new certificate changes an attacker will be required to have a certificate issued by your environments CA in order to successfully set up an Evil Twin. The wireless profile we set up in Group Policy is where we select the allowed Issuing CA certificates. If the users are allowed to accept certificate changes it is possible for an attacker to create an evil twin with a certificate they create. Defining our trusted CA’s should provide another layer of protection to that setting. The private key on the target users computer will never leave that device so the attacker is not going to obtain the targets private key. The most the attacker could do is offer internet. They would not be able to connect to the domain network in that situation. They may try to compensate by creating a splash page that asks for the users credentials. In summary no it doesn’t prevent Rogue APs but it does make it significantly harder to make anything out of that approach.

Were you guys able to come up with a good solution for this? Researching all over for a solution on this as lockouts are a major headache

Thanks for watching! Appreciate the compliment very glad it was helpful

Thanks for watching glad it was helpful! I agree it is hard to find good info on certain subjects

Right on thanks for watching!

Thanks for watching! Always happy to hear this helped someone implement it!

Thanks glad to hear that :)

Right on! Thanks for watching!

No problem thanks for watching!

Right on! Love to hear that. Thanks for watching and the support

Thanks glad to hear its helpful for ya! That is exactly what I look for too when I am trying to learn something from a video. Glad its not just me

Right on thanks for watching!

Thanks!

Thanks for watching!

Thanks for watching! Always glad to hear it was helpful. Have a great New Years!

Lol of course don't want anyone researching to get sick! Thanks for watching!

Thanks for watching! I do not have a video like that. You want your CA to not have any other services on it. It should just do CA stuff.
The best practice that is rarely followed is to have an offline root CA server non-domain joined. Then have an Intermediate CA attached to that which is domain joined. Require NTLMv2 authentication to it. Use SMBv2 and v3 with required signing.
Biggest threat to your domain with a certificate authority are Certificate Templates. The guys who wrote an exploit tool called Certify have a white paper that is well worth the read to see the do not so certificate template making. You can run the tool to discover vulnerable certificates on your CA if you are ever unsure

Thanks for watching! Very happy it was helpful

That sounds frustrating, definitely need the firewall open. That is pretty crazy, the firewall rules gets created automatically when installing the NPS role on the Windows Server. What AV software is doing that too you?

Thanks appreciate it!

Thanks for watching! Glad it was helpful

Thanks for watching! Glad it was helpful

Thanks for watching! What I have found with non-domain joined Apple devices is they require a non-domain joined Root CA with a domain joined Intermediate CA. The non-domain joined Root CA is for issuing certs to Apple devices not on the domain. The domain joined intermediate is for auto-management of the Windows RADIUS client certificates. Of if you have something like Cisco ISE to act as a CA that issues certs to those devices that can work.
If you just have a domain joined Root CA that assigns a device certificate to a non-domain joined Apple device, the authentication fails saying no matching account could be found. I have tried creating dummy accounts etc but nothing worked for me.

Thanks R H, glad you found it helpful! :) I appreciate the feedback. I was hesitant to include that in this video initially because I felt like I was assuming a lot without a WLC. That has not seemed to take away from the content of the video.
I can do a part 2 kind of video for this where I add wired to the configuration and create the IEEE 802.3 group policy. I will also include how to configure 802.1X on a Cisco switch so we can add it as a RADIUS client on the NPS server. I did not create a Security group in AD for the RADIUS clients so I will demo that in the new video as well. Will that be what you are looking to see?

Here ya go brother th-cam.com/video/CzmFhCuUj6w/w-d-xo.html Thanks for the request!

Thanks for watching! A valid certificate is typically selected automatically however, its not perfect. Yes you should select the certificate to use on the RADIUS server in the network policy. I forgot to cover this in the video. I updated the description of the video to make mention of this in case someone reaches out to me having that issue. I can also get a quick copy paste responding to emails.

Thanks for watching! I am a PRTG fan

Thanks for watching!

Thanks for watching! I would be curious what you do for this. If you are using PEAP I would think trusting the Root CA and a domain trust would be required between the two domains so the user accounts can be found. For EAP-TLS you probably need a non-domain joined CA to issue certs to both domains in order to accomplish that

Thanks for watching! If a user is getting a Computer template certificate assigned to them it is because they have permissions to that template and the auto-assignment in group policy thinks that means they should get one. I can’t picture another reason for that but it is possible there is something I’m not thinking of.
In the video I just used one certificate for the radius server and radius supplicants. If you want to create a Radius Server certificate you can duplicate the “RAS and IAS” template and change the security permissions to your radius servers security group.
For radius supplicants you can duplicate the Workstation certificate which I think I used in the video. With an EAP-TLS connection the client validates the server and the server validates the client as opposed to the client only validating the server. I believe the server validating the client is the reason for Server Authentication.

Thanks for watching! The certificate I select I have had to choose by its expiration date. I use the RADIUS Server certificate template for that. In this video I made a cert that could be used by both the server and client. In this case I would have selected that one. It is okay to do. For least priv purposes it’s best to have a separate template for server and client

@@OsbornePro Appreciate the feedback. I was not 100 percent sure. I thought it might be best to just setup a cert template for just the radius server that way its not using same cert the clients are using as I currently have the validity period set to 3 months and the renewal period set to 2 months. It may cause issues once I deploy to production if my radius server cert is using the same as the clients.

Thanks for watching! In the client network connection profile (windows 10) you can select whether to use a computer certificate or user certificate. Verify the computer option is selected. The other thing to look at is the NPS server Network Connection Profile to make sure the correct group is assigned and verify Smart Card or other certificate is being used. If you want to take screen shots of your config and send them to info@osbornepro.com I can take a look.

Thanks for reply! I selected to computer authentication and i dont use NPS server.(İ use freeradius) İt is weird when i try user authentication eap-tls or eap-peap it works but when i try computer it is not working. @@OsbornePro

Thanks for watching! That I am not sure. By default you should have default certificate authorities that exist in both the Trusted Root Certificate Authorities and Intermediate Certificate Authorities stores. If there is nothing there maybe the Windows store is not used for trust and some other technology is handling that?
If you want to get your domains Root CA, remote into the Root CA server and open Command Prompt or PowerShell. Then execute the below command
mkdir C:\Temp # Creates a directory if it does not exist
certutil -ca.cert C:\Temp\RootCA.cer # Exports your domains Root CA certificate to a file that you can import into the trusted stores
Once you have the RootCA.cert file you can open certlm.msc and import it into the Trusted Root Certificate Authorities store

Thanks for watching! The RADIUS Client authentication certificate can be assigned to any security group you want. It is best to create a RADIUS Devices security group in AD. It does not necessarily have to go out to everything. The RADIUS Server one will only be distributed to servers with the NPS ability. The root ca certificate needs to be distributed to everything for trust purposes. If a certificate isn’t trusted the connection won’t connect without extra steps that are bad for security. I think I answered the question. Let me know if I can provide any more info

Thanks for watching! At that part I am configuring the Group Policy item to deploy out to devices that gives them the Root CA in their trusted store.
NOTE: In the video I see I installed the Root CA cert in the Intermediate store. If you don't have an Intermediate Root CA cert then DO NOT INSTALL IT THERE. Its not really a big deal but I was paranoid at the time I made this that my cert would not be trusted and I would have to do the video over lol. Supposedly it can cause an issue. I have never seen one but its better to be safe than sorry.
Step 1.) On your Root CA, export your certificate. This can be done by executing the below command on your Root CA server. It exports the public certificate to a file.
certutil -ca.cert C:\Temp\yourRootCa.cer
Step 2.) Copy yourRootCa.cer to your Domain Controller you are making the GPO on
robocopy C:\Temp //domain-controller.domain.com/C$/Temp yourRootCA.cer
Step 3.) When you have the policy open like I do in the video at that time frame, right click on "Trusted Root Certificate Authorities", select Import and import that file

Thanks I will check that out!

Thanks for watching! Yes you can however you need a Root CA that is not domain joined to issue those certificates. Or what I have not tested is using SCEP to assign certificates to non-domain joined devices

Thanks for watching! Appreciate the kind words. There is not a way to do the method you are thinking but you can use PEAP for authentication instead. The certificates assigned to the user create the EAP-TLS tunnel. The user than authenticates using SSO or their credentials. You want to use MSCHAPv2 which is used to encrypt the credentials and send them through the EAP-TLS tunnel.
To do this you will need to deploy a user certificate used for PEAP authentication.
You need your Network Policy using PEAP instead of Microsoft Smart Card or Certificate. You do not need to check any boxes where you see PAP and MSCHAP CHAP and MSCHAPv2. The auth method you use is selected when you select “PEAP” and then click Edit. There is a drop down there for MSCHAPv2.
That is basically the only difference in your config setup.

@OsbornePro TV Thank you, Rob, for the helpful reply! In your professional opinion, which one would you consider the better option? EAP-TLS with computer authentication (Pros: more secure / Cons: can't audit which user was connected to the network on the computer and cant block user access without blocking computer) or PEAP (Pros: can audit network usage by user and block a user access without blocking the entire device / Cons: Less secure?) Also, do you have any experience/tips/advice for auditing user network usage for devices that are solely using computer authentication with EAP-TLS?

@@VindalooJim I prefer EAP-TLS with devices if the users are assigned their own desktops and laptops. If someone gets fired or whatever you can disable their account in AD and their devices certificates. I prefer to avoid PEAP when possible because I know how to exploit it to steal credentials. It’s more a personal comfort thing. Someone smarter than me may figure out ways around the methods used to lock it down. PEAP is still considered a secure means of doing things and would pass a security audit. Your pros and cons are accurate. If it makes more sense for your situation I would use it. There are clients I have worked with where PEAP made more sense.
Another thing to keep in mind is a PEAP certificate has only one issued per user. If a user has a desktop and a laptop the user needs to know how to set up the cert on their other devices.
The RaDIUs accounting logs are supposed to be a good way of auditing network usage if you have multiple clients using internet. Utilizing a SQL server for that if you expect heavy logging is the way to go there

Thanks for watching! Glad to hear it. Yes it is possible to get Macs working under RADIUS/NPS but it is not possible to use EAP-TLS with the configuration I demonstrated. You will require a stand alone/non-domain joined Root CA to issue certificates to your Apple devices. If you use a Standalone Enterprise CA that is domain joined, the certificates can be assigned but when authentication comes around the auth request gets denied saying the user does not exist. I tried creating a user MACDESKTOP01 and MACDESKTOP01$ for example in Active Directory and still received "user does not exist" results. The way to rectify that is with a non-domain joined Root CA. The Subordinate CA can be used to auto-manage the Windows certs still. To reiterate, this is for EAP-TLS authentication.
If you decide to go with PEAP user authentication then yes the setup in this video will work. PEAP requires the Mac users to login at least once and only one PEAP certificate can be issued so the users would need to manage their own certificate and move it between devices. EAP-TLS would allow any managed device to authenticate without the user entering credentials.

Thanks for watching! When you set up an Windows Server Enterprise Root CA the information for the CA gets placed into Active Directory. If you have run the configuration of the Root CA role on a Windows Server a couple times you may need to make some adjustments in Active Directory to ensure the correct Certificate Authority is defined. The issuing Root Certificate Authority's certificate is not automatically trusted. The Root CA certificate is trusted by the clients and the NPS server because it was pushed out to the trusted store using Group Policy. The NPS server needs to trust the issuing authority as does the supplicant. If a machine is not domain joined you will need to manually trust the Root CA.
In case you need some commands
# Publish Root CA Cert to NTAuth store
certutil -dspublish -f RootCA.cer NTAuthCA
# View content in NTAuth in AD DS
certutil -viewstore "ldap:///CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=com"
qa.social.technet.microsoft.com/wiki/contents/articles/3063.certutil-examples-for-managing-active-directory-certificate-services-ad-cs-from-the-command-line.aspx?PageIndex=1

Thanks for watching! I believe that Yealink phones are not capable of trusting third party certificates. In order to get them internet you would need to configure a multi-host policy on a Cisco switch. This allows the phones to piggy back on the computers authentication and not have to use RADIUS to authenticate to pass traffic.
www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_37_se/configuration/guide/3560scg/sw8021x.html#wp1271507

Thanks for watching! I have no idea why they do not make it easier to see what certificate you are selecting. I would renew the certificate with the same key and select the certificate based on its expiration date.

Thanks for watching! Unfortunately no you are not able to use WPA2-Personal and WPA2-Enterprise on the same SSID. However both connection policies can exist on a device at the same time. You can enforce which SSID connection is used via GPO. A new SSID will need to be created for the migration.
To migrate from PEAP using MSCHAP to EAP-TLS I would do the following.
1.) Create a security group to test your laptop out in. Name this group whatever you want the Production name to be. Test one laptop at first but add everything to it when ready.
2.) Verify your device has an EAP-TLS certificate assigned to it like you would have created with this video.
3.) Create a new SSID to use WPA2-Enterpise authentication with
4.) Modify your laptops GPO policy so it gets the new SSID wireless profile. The old one can still exist and can be left as the default until you are ready to test your new policy.
When the new wireless GPO policy applies you will likely need to reboot the device. Some but not all of the settings in the SSID policy require a reboot and we don't want to leave anything to change in case you require a change that needs this. "gpupdate /force /boot" will NOT see a reboot is required for the settings to be updated. If you are enforcing that policy to be used you will not be able to reconnect to the WiFi until the next step is performed on the NPS server.
5.) Duplicate your Connection Request Policy and Network Connection Policy on your NPS server and modify it so the Security Group your laptop is now a member of has the policy applied to it. Also use the EAP-TLS connection settings.
6.) Move the newly created policy to the top of the processing order in your NPS server. Double check that no other laptops will accidentally receive your new policy before you
7.) Enable the duplicated modified policies.
8.) Update your GPO settings for your laptop to use the new wireless profile and verify it connects okay.
If successful you can move say another 10 devices into the same policy. Check last reboot times on the 10 devices to ensure they get the new GPUpdates applied. Then move them into the security group in AD which gives them the new wireless SSID profile that they get forced to connect too. If those 10 devices work without issue I would go large scale and wait say 1-2 weeks to ensure all devices have been rebooted to get their new gpupdates before moving them into the security group

Thanks for watching! I am not sure I understand your question. Do you have virtual Windows 11 devices in the cloud?

It will propably be with the help of Microsoft Intune Certificate Connector@@OsbornePro

Thanks for watching! In the video after we created the computer certificate templates and set up group policy, the certificates then started being deployed automatically via group policy.

@@OsbornePro Wow! Replied in less than an hour! Thank you! In my case, I don't think I can do the auto deployment because my wireless client PCs are not on the same domain as the RADIUS server domain controller. Is there a way to manually generate and deploy the client and server certificates?

@@gilgamesh822 if you have another domain you can trust the root CA certificate that assigned the RADIUS server certificate. Then the second domains clients will be able to trust that NPS server certificate. The NPS server can be set to trust the second domains CA. Then your authentication will still happen to the one server. That lets that domain manage its own certs.
Otherwise as a manual process you could script the manual assignment of the certificates or open certlm.msc with admin permissions and request a new certificate for each device individually. Then create the wireless or wired profile manually on each device in Control Panels Network Manager for an interface.

Thanks for watching. You would have to use a PEAP user certificate on your mobile devices in order for them to authenticate with RADIUS.

​@@OsbornePro Thanks so much for this video - it was a really useful start-to-finish tutorial and we've managed to get laptops connecting nicely over WPA Enterprise now. I was just curious about your comment above about needing PEAP user certificates on the mobile devices. We have been unable to get the IOS devices connecting over RADIUS. We have successfully deployed the certificates to the mobile devices using the MDM (Airwatch / WorkspaceOne) however the certificates on the mobile devices are user certificates, not device certificates and I'm wondering if this is why it might not be working. The TCPDUMP on the AP shows that connection is being denied but I'm not sure why. Does NPS require machine certificates and if so, how do we loosen the policy to also allow User certificates from mobile devices to authenticate?
Otherwise, how do we use PEAP user certificates as you mentioned above on the mobile devices?
Thanks so much for any guidance and for the awesome video!

@@jimmyweston613 excellent that is great to hear! With PEAP you will need to create a new network policy on the NPS server. Add a security group to it so the PEAP users have the PEAP network policy applied and than the devices security group assigned to your EAP-TLS policy. You will want to set up PEAP and MSCHaPv2. You do not need to check the legacy checkboxes for MSCHAP or MSCHAPv2 when creating that network policy.

@@OsbornePro Thanks so much for the reply. I will definitely try this over the weekend during a change window. Just to confirm though that in the new NPS Network Policy I am creating for the mobile devices, for the "EAP method" option, I should select "Microsoft: Protected EAP (PEAP) OR Microsoft: Secured password (EAP-MSCHAP v2)" instead of "Microsoft: Smart Card or other certificate", the latter of which I used in the other (working) policy for laptops? Thanks!

@@jimmyweston613 no problem. Correct, to break it down
1.) In Server Manager go to Tools > Network Policy Server
2.) Under "RADIUS Clients and Servers" drop down "Policies", right click on "Network Polices" and click "New"
3.) Call the Policy PEAP Users and leave "Unspecified" selected. Click "Next"
4.) Add a Condition for "User Groups" and add the security group containing your PEAP/MDM users. Click "Next"
5.) Select only "Access Granted" then click Next
6.) For EAP Type select "Microsoft Protected EAP (PEAP)" and uncheck all the less secure protocols. Select "Microsoft Protected EAP (PEAP)" and click the "Edit" button. Ensure your RADIUS server certificate is seleted next to "Certificate issued to:" and "Enable Fast Reconnect" and ensure under EAP Types you have "Secured Password (EAP-MSCHAPv2)". Click OK and then click "Next"
7.) In the left hand pane of "Constraints" select "NAS Port Type" then check the boxes for "Wireless - IEEE 802.11" and "Wireless - Other". Click "Next"
8.) Uncheck the weak encryption methods if you like and click Next. Then Click Finish
9.) I have my PEAP policy last in processing order so it checks for company devices first and then then tries PEAP based on user accounts

Thanks for watching! On the RADIUS server for my NPS server I use the expiration date to determine which Certificate I am selecting
When giving template names I typically try the one without spaces first

Thanks for watching! Are you using Server 2019 or higher for your NPS Server? If your NPS server is not a domain controller that is fine, just make sure you have your DCs defined in the server group. You will then want to assign your NPS server the RADIUS server certificate templte created and any time you are asked for a RADIUS server define your NPS Server.
You may want to view this article for information on using TLSv1.2 support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af
I would play around with your client Wireless profiles. Try being less strict and use different trust settings and hostname, FQDN, IP address in the RADIUS servers field to get it working. You can then harden from there once you see what part is having trouble.

@@OsbornePro Hey ! i appreciate your reply, again thank you for your time ! i'm using a 2016 std for the NPS. Could you please explain what you mean by DCs defined in the server group ? I'm sorry i forgot to tell you that i already have an other SSID ( let's call its SSID1 ) setup and it works just fine the only difference is, it's using PEAP instead of EAP-TLS. I have checked the event viewer on my endpoint and found this event under App & srvs logs wlan-autoConfig events : 8002 + 11006 + 12013
Wireless 802.1x authentication failed.
Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz
Interface GUID: {c8fcec8b-89f8-42b7-87cb-4b059364c8c4}
Local MAC Address: XXXXXXXXXX
Network SSID: MYSSID
BSS Type: Infrastructure
Peer MAC Address: :xxxxxxxxx
Identity: host/myhostname
User:
Domain:
Reason: Explicit Eap failure received
Error: 0x40420016
EAP Reason: 0x40420016
EAP Root cause String: Network authentication failed
Windows doesn't have the required authentication method to connect to this network.
EAP Error: 0x40420016
--------------------------------------
Wireless security failed.
Network Adapter: Intel(R) Wi-Fi 6 AX201 160MHz
Interface GUID: {c8fcec8b-89f8-42b7-87cb-4b059364c8c4}
Local MAC Address: XXXXXXX
Network SSID: MYSSID
BSS Type: Infrastructure
Peer MAC Address: XXXXXXXX
Reason: Explicit Eap failure received
Error: 0x40420016
------------------------------------------
The last event says the specific network is not available
One thing i noticed also, few users could connect to the EAP-TLS network but when i checked the nic wirless properties/Security i found that it has the the auth methode of the working network (SSID1) which are PEAP and when ever i switch it to EAP-TLS ( eventhough i'm not supposed to be able to modify this part as it should be greyed out ) the connection drops....by the way i'm using SOPHOS XG FW

@@ane4412 based on the event you posted, that is telling us the clients are attempting to use authentication method an authentication method the server is not accepting. On your NPS server on the Network Policy you will want one created for PEAP and another for EAP-TLS. The EAP-TLS one should have Smart Card or other certificate selected only. Click the Edit button for that selection. Then using the expiration date of the RADIUS server certificate, select the RADIUs server cert to ensure the correct one is being used. Don’t add any other requirements. On the clients you can check the EAP-RRAS logs for EAP-TLS (EAP type 13) (PEAP is EAP type 25).
GPOs need to be assigned to the same OU as a device or have the Enforcing tick box checked to prevent someone from making changes to your client profiles
The server groups is defined in Network Policy server in the left hand pane as Server groups. Your Domain controllers get set at that location (not the NPS server in your case)

@@OsbornePro Thank you so much ! i will carefully double check all parameters you've pointed out and let you know. I'm a bit confused though about the server groups part, i thought it's was only for failover and load balancing between NPS's but hey why not :-) i must do more research on that, or install the nps on a DC... By the way the log says Auth failed for EAP methode type 13 the error was 0x9009030c. Thank you again.

@@ane4412 sounds good. Those groups do perform load balancing however your NpS server is not a DC so it can only act as a proxy for authentication requests. It can not perform the authentications

Thanks for watching! What is the error message you are seeing on your NPS server in the Event Viewers custom log for Network Policy Service? At the bottom of a denied event it will have a message that will tell you if there is no matching Network Policy or Connection policy. It will also let you know if a user was not found. Because the user certificates work I think it is safe to assume your RADIUS server certificate is good and clients authentication requests are reaching the NPS server. I would think what needs to be looked at is why they are being denied. If you find they are not getting there let me know. Feel free to send screenshots of your config to info@osbornepro.com and I can take a look to see if I see anything. Also screenshots of your GPO profile would be helpful.

@@hichamlyaacoubi1196 thanks for watching! There is a registry value you can at on the NPS server to define what version you want to use if you want to make sure a modern one is used
support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af

Thanks for watching appreciate the support! That is interesting, sounds like the CRL is not being checked based on your actions so far. Can you check the registry setting on the NPS server and verify none of the below registry values are set to 1. If a -Name value does not exist you will likely return an error message which is expected and can be safely ignored. It might be useful to set all these reg values to 0 and restart the server so you manually are telling the server perform the checks.
Registry Path EAP Extension
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 EAP-TLS
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25 PEAP
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\26 EAP-MSCHAP v2
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name IgnoreRevocationOffline
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name NoRevocationCheck
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13" -Name NoRootRevocationCheck
REFERENCE: learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771995(v=ws.10)?redirectedfrom=MSDN

@@OsbornePro Thank you! The response in the first query was for an incorrect string, so I don't think that one exists. Double-checked spellings and used tab completion and up arrow for the last two commands. Last two queries were 0 for the value. UPDATE: I stand corrected. I just now understood your ask. I have used all three queries now in all three paths (9 total). The last two queries resulted in a '1' value in the '25' path. But since that is not in the EAP-TLS path, will it make a difference? I set those values to 0. Waiting to hear from my sysadmin if I can reboot the server.

@@scottfuller2449 I apologize I am not always good at communicating what I am thinking. Change those values from 1 to 0. You may need to restart for those values to apply. The 0 says to use CRL checks with PEAP authentication. If that still does not work my next check would be to verify what certificate the client is presenting. I would change the client profile in the Control Panel network device settings so it allows me to select what certificate I want to use to verify there is not another cert being presented that works

@@OsbornePro You have no reason to apologize! You communicated it very well. I am waiting to do the testing after setting those values to 0. But since that wasn't in the EAP-TLS path, I don't understand how it will help. But that doesn't mean much either. Certificate knowledge is like fairy dust to me. I don't understand them very well or the complex process. I will report back. Thank you so VERY much for your responses and help thus far!

@@scottfuller2449 thanks no problem. I am doing that just to cover all basis. If you are using EAP-TLS it should not affect it. I want to make sure that is not it

Thanks for watching! Yes you are correct the GPO creates the wireless profile that gets pushed out to the clients. By selecting a root CA certificate in the GPO wireless profile you are telling the clients what cert to autoselect

@@OsbornePro What triggers the clients to auto-enroll? I watched another video and they discussed the gpupdate /force to enroll the client immediately and they also mentioned syncing the GPO to the domain which I didn't see mentioned in your vidoeo

@@SteveSmith-rj6oq it still the GPO. There is a PKI GPO setting that says to auto enroll clients in certificates when the templates exist

Thanks for watching! For your first question, your understanding is correct.
If you modify your SSID to require RADIUS authentication, only devices with the EAP-TLS certificate you setup can connect to it. Personal devices will no longer be able to connect.
If you create a second SSID, leaving your original WPA2-Personal setup and creating the new one to use WPA2-Enterprise (RADIUS), then no-one will be disconnected from the SSID currently being used in Production.
WPA2-Enterprise will prevent users from connecting with their personal devices.
Second Question:
Correct you would need to set up the laptop by plugging it in via Ethernet in the office which can be beneficial if you have a PXE scope. You could also assign your admins a PEAP certificate to use that allows them to get things set up over WiFi initially. Otherwise you wont be able to connect to the WPA2-Enterprise SSID with new laptops. Microsoft Intune could also be used to assign certificates if you have a proxy set up for SCEP certificates and Wireless profiles configured. This would allow you to connect to Guest WiFi while still receiving configuration and a certificate via the WAN instead of the LAN.

Thanks for watching! Yes you are correct the TLS certificate is unique to each machine. It is based off of the FQDN of the host which is used in the certificate. If you revoke the certificate for one of the machines you will prevent that machine from authenticating itself using that certificate.

@@ryanmcguire2578 thanks for watching! Yes they will automatically connect to wifi once setup

@OsbornePro ok I had set the up previously on a different dc, and my first test user I had to hit connect for them to connect, in the cert authority should each computer have 2 certs listed?

@@ryanmcguire2578 if you have two certificates on a device capable of being used for radius auth from the same certificate authority. In your client wireless profile you define the CA that assigned the certificate to auto select from. If you have two they may prompt you to

​@@OsbornePro I have my original cert authority setup on server 2016(going to decommission) which is still active and it has both certificate templates for radius server client and computer(machine) on it but my server 2022, the new CA only has the radius server client cert template listed for this user

@@OsbornePro sent you an email if you have a chance to take a look...thank you

Thanks for watching!

Hey thanks for watching! AES-CCMP came out with WPA2. My assumption is that AES means the same thing. It may show as AES-CCMP in newer OS versions because AES-GCMP was released later.
I forget if I covered it in this video or not. if you check the box in your group policy client profile to verify your servers identity and define the server to connect too, the value you define is case sensitive and needs to match the subject name value of your servers RADIUS server certificate. Uncheck that box in the client profile to see if that is the value preventing your connection.
Check the NPS logs on your RADIUS server to see if your radius server is receiving and rejecting the request as it will give you an idea why it was rejected. If it is not rejecting the request check your supplicants event logs under EapRas-Tls for EAP-TLS and CAPI2 for SSL errors.
If you run packet captures you want to analyze EAPOL packets on the client side and RADIUS packets on the server side

@@OsbornePro Bro I got it working :-) I think it was a bug. All it needed was a windows update.
I have one more question for you. Let say I have a user that's not part of my domain. but I want him able to join the enterprise Wifi. How I can generate a client cert? I googled the shit out this question and no answer whatsoever xD

@@brolysmash9333 right on that is exciting. There are a couple of possibilities. The first is using a MDM policy. I am currently working on one for an organization that uses the Enterprise CA to assign SCEP certificates using and Intune Connector and Application Proxy. With Azure I seem to be able to offer 3 different cert types but they may only be capable of PEAP. I was going to try and work something out using PEAP and MDM but am having some kind of permissions issue on the CA preventing the certs from being assigned.
The other possibility is still PEAP. Someone I was working with recently was doing something for hospital devices. The hospital was using one PEAP certificate with an exportable private key assigned to a single user but put it on multiple devices. (There is no way to auto-assign or re-new Linux device certificates which is what makes this ideal from a management perspective). I stole that idea and limited what devices that user is allowed to sign in on in AD and applied the same concept to printers. This works for the most part however some of the older printers are not able to use the certificate because the PEAP cert is being imported as a machine cert. It works for newer printers but not old ones and I don't know why. That may be something we run into on phones and such as well.
I am thinking that may be your best solution (create an exportable private key PEAP certificate and send it to wherever to install). I am going to be doing a PEAP video here soon. I have a securing apache video prepared to come out next and will try to get that one done after

@@OsbornePro you’re awesome dude.. 👍🏼👍🏼😎😎

Lol I didn’t realize the video was old until you stated that. It is old now isn’t it. I don’t think I understand what is happening, You probably have an NPS server with a couple RADIUS servers behind it and one of those RADIUS servers also acts as the backup NPS server. Or something close to that. The RADIUS server certificate should be from the same CA so the trust of the Root CA should be good. Once the client authenticates to one of the servers the connection is up. If they reestablish a connection with the backup NPS server it shouldn’t cause any downtime or create new certs. Are both NpS servers defined in the group policy wireless profile? The subject CN of the certificate is case sensitive and needs to match the FQDN of the RADIUS server. That server will need to be defined in the clients RADIUS profile which I would treat as case sensitive just in case. Maybe the second NPS server needs its RaDIUS server certificate assigned and an auto selected one is not the one you are expecting

I exported the certificate from the CA and imported in to my second radius backup server. I watched both your full videos. You setup yours different then I did. I wish I could show you. If I could some how send you screenshots or pictures. I have my setup almost 5 years with multi vlan authentication. My only issue I have if I use my backup server. Clients have to re trust certificate on second backup server

@@jacobstahl7467 On your NPS server the RaDIUS server certificate I am thinking of you may need to set is in the network policy. In the section where you select Microsoft Smart Card or Other Certificate. Select that option and click Edit. Then verify using the expiration date of there is more than one certificate option that your RADIUS server certificate is being used and not a self signed one. Or have you been able to verify the certificate is good already?

@@OsbornePro yeah the certificate is still good. I have it to expire in 20 years. Even though I know I’ll do hardware updates before that. I just set it expiration to 20 years.
Your setup is different then my. I noticed you authenticated with just the certificate But I have about 18 vlans on my network and I’m authenticating users via username and password. And whichever group the the users are in. The are connected to that specific vlan.
And I select my certificate for WiFi under Network Policy Server> Network Policies> (the custom policy I created for vlans)> Constraints> Authentication Methods> then on right window I select Microsoft: Protected Eap(Peap) then I click edit. This is the place I select my certificate.
And noticed your doing it in group police manager, where I’m doing it under NPAS> network policy server.
I hope I make sense

Thanks for watching! So yes all requests would be sent to priority 1 server unless that server is overloaded.
The NPS proxy you set up sends connection requests to the RADIUS server with a priority of 1 first. If servers with priority 1 are not available, NPS sends requests to servers with priority 2, and so on.
I don't remember what I said in the video but I think later I learned after this video that when you assign the same priority to multiple RADIUS servers, and use the "weight" value, you load balance between them.
When you assign different priorities it acts as a fail over. So if priority 1 server is not available (gets a connection timeout from drops or timeout settings) it goes to priority 2 server

Appreciate the timely feedback and honest response...@@OsbornePro

Thanks for watching! Importing a Root CA certificate is simple enough to do with Intune. Assigning certificates for RADIUS auth requires the Windows Server Root CA to have what windows calls SCEP configured and if devices are not domain joined you need a Standalone CA. Once that is set up and SCEP open to the internet you can set up the Intune profile to issue certs.

Thanks for watching! As far as I understand it, Intune using SCEP is able to assign 3 types of certificates that cover user certificates that can do EFS, S/MIME, Email Signing, and Client Authentication. This would restrict devices receiving certificates from Intune to using PEAP and not EAP-TLS. The PEAP certificate would be assigned to the user and they could then use their credentials to authenticate. If you have info different from mine I would be interested to hear it. I have only worked with E3 Office365 licenses which may be more limited than the E5 one.

Thanks for watching! I am not familiar with Aruba but the essence of what you need in the setup is
1. A RADIUS server certificate the client devices trust
2. A certificate the clients can present the RADIUS server trusts that can be used to authenticate the client
If you have those things, tweaking the config becomes much simpler

@@OsbornePro Thank you so much for your response! I only have an NPS server ( I thought NPS and radius server were the same thing). Aruba told me that I just need to upload my certificate to Aruba Cloud Console. It looks like it just needs a PEM certificate, but I don't even know how to export a certificate from my NPS server to even start 😅😭
We just want to allow AD users to connect to our wifi on their personal mobile device. Right now we are manually typing in our wifi password on their personal device which is not secure.

@@xtnx the Aruba needs to trust your on premise root certificate authority that is assigning certificates. Use Windows to view the Root CA certificate. You can open certlm.msc as an admin and go to Trusted Root Certificate Authorities. Double click on your cert to open it and go to Details then Copy to File. Export in Base64 format not DER. That is the pen file they want. That will be all you need for them. Pushing certificates out to your mobile devices will require an MDM solution
The NPS role can be related to a proxy. It will distribute authentication requests to the RADIUS servers

Thanks for watching! I think I understand what you are asking. I apologize if I misinterpreted and feel free to let me know.
WIRELESS TEST
To test EAP-TLS authentication out, the simplest way would be to temporarily have a WPA2-Personal SSID set up you can fall back on in case you need it.
Use the same subnet in that SSID as your WPA2-Enterprise one.
Set up your Wireless Connection Policy directly on the client instead of using GPO and/or exclude your laptop from the GPO enforcement temporarily. This will allow you to more quickly test and make changes to see what the issue might be. Make your changes and retry connecting to your WPA2-Enterprise SSID. Check the "Network Policy Server" logs on your NPS server to see why a request was rejected and to verify the request gets there.
On the client side you can view Event Viewer > Applications and Services > Microsoft > Windows > EapMethods-RasTls or EapHost to see why the RADIUS server is not being reached if issue is caused by config.
WIRED TEST
If you have a Cisco networking device acting as an Authenticator, you can use Monitor mode on some switches. This will basically audit your requests for testing purposes.
You could also configure RADIUS, None which says if the RADIUS server cannot be reached or the device cannot be found, the connection is allowed. You can then check the failed authentications on the interface your device is plugged into using the below command. Turning that interface off and on again should force a reconnect attempt the majority of the time.
# View whether a session was created on your interface
sh authentication sessions interface gigabitEthernet 1/0/1
# View auth statistics for interface
show dot1x int gi1/0/1
You can configure the quiet timer on your Cisco interface to get rechecks to happen more frequently
dot1x timeout quiet-period seconds


dot1x timeout tx-period seconds
More details on these commands can be seen in this forum community.cisco.com/t5/security-blogs/dot1x-ios-commands-overview/ba-p/4614712

I was just answering someone else's question who brought this tool to my attention, NTRadPing support.secureauth.com/hc/en-us/articles/360019651812-How-To-Test-RADIUS-Using-NTRadPing
It seems at first look like this is a PEAP authentication test. I figured I would share it with you in case it is helpful

Thanks for watching! Yes you can use any CA as long as the client trusts the Root CA that issued the certificate to the RADIUS server and the RADIUS server knows it can trust the Root CA that issued the EAP-TLS certificate

@@OsbornePro Thank you!

@@OsbornePro Sorry one more question that came up. Can we just use an IIS Server in our domain to generate the CSR? And if so what type of certificate should we download from the 3rd party CA? Thanks so much.

@@HawkJ88 yes you can use IIS to generate a CSR if you want. You will need to download the Root CA certificate from the third party CA and trust it. If they have intermediate certificates you will need to trust those also.

Thanks for watching! The only thing I think is worth mentioning would be; Where are your certificates being auto-deployed from?
If remote devices have their certs being deployed from your Root CA server to the client machines automatically and you know the remote devices will be forced to connect to the VPN fairly often you wont need to do anything else. If the remote devices are not usually connected to the VPN or domain joined you will need to set up basically a proxy to your Root CA that issues SCPE certificates.
learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
Your other GPO settings being deployed from Intune do not matter where they come from

Thanks for watching! For mobile devices I would suggest going with PEAP certificates associated with the user accounts. The PEAP certificates can be pushed out using an MDM (Mobile Device Management) provider. If your company has at least an E3 Office365 license this can be done with Azure's MDM.

@@OsbornePro I intend to use it with home wifi just because I can. Is it possible to do so without a mdm? For android, MacOS, Linux, and iOS

@@user-fp3mn3dw7x Yes that requires some manual configuration. Working with *nix operating systems this seems like a great resource to work from.
networkradius.com/articles/2021/10/25/EAP-production-certificates.html
You would need to manually generate the CSR on your *nix devices as the instructions cover at the above link for using EAP-TLS. If you have a windows CA issuing certs I have a script you can use to renew and set the certs on those devices afterwards.
github.com/tobor88/Bash/blob/master/update-ssl-certificate.sh
The other option would be to set up a PEAP user certificate that is exportable and install that certificate on all your devices. Then create the network profile that uses that certificate.

I found out I can generate user certificate with CertSrv and it works on android, iOS and macOS but it doesn't work on windows 10. Any idea what's missing?

@@user-fp3mn3dw7x Could you advise how you achieved this? busy trying to do this myself

Right on thanks for watching! My apologies for the delay I have been stuck on a project. To make sure I am understanding correctly, are you referring to devices that attempt to connect to your wireless network for the first time since they do not yet have a certificate to authenticate with?

@@OsbornePro Not really device, but user. For example if user never logged from his PC to domain there is no user certificate and user not able to pass authentication on RADIUS server. We created user based certificates because it is just easy to assign AD groups, we added additional feature when user receiving certain IP from certain IP pool depending from AD group, because our MAC systems not joined to domain and we need to able to filter user traffic on our Firewall for this group of users. At the moment, new user (or if user replacing his PC) should initially pass domain authentication on wired connection and once they receive user certificate they are able to connect to our EAP-TLS. Thanks again for the video, really appreciated that you covered topic with redundancy in details!

I end up with user based certificate for MAC OS (not joined to domain) and computer certificate for WINDOWS (domain joined)

Yes great question, you can add the following registry key to use TLSv1.1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
Create the value DWORD value 0x300
TLSv1.0 would be 0xc0
TLSv1.2 would be 0xc00

I was thinking this might help your situation as well. In WIndows 7 TLSv1.2 is not turned on by default. I wrote a script to turn on TLSv1.2 usage in Windows 7 era Operating Systems
github.com/tobor88/PowerShell/blob/master/EnabledTLS1.2-Windows7.ps1

Thanks for watching!
If you are on a client machine it may be a permission issue for you account on the certificate templates
If you are on the certificate authority restart certificate service (certsvc) and verify the service stays running and check if the templates are loaded. If this doesn't help then stop certsvc on CA. Further troubleshooting would be required from there. If possible you can retry installing the CA

Yes please

Thanks for watching! I plan to redo this video at some point. That becomes tough because of the at home setup required but I will do what I can to include that information

Thanks for watching. I would not suggest using WPA3 for wireless internet. Really the most vulnerable thing in WPA2-Personal is that someone can disrupt a network with disconnect packets and try to crack the wireless password. WPA3 still has vulnerabilities being discovered that are unable to be remediated due to issues in its foundation. One for example leaks the network password. www.pcmag.com/news/flaws-in-wi-fis-new-wpa3-protocol-can-leak-a-networks-password

Sure do th-cam.com/video/CzmFhCuUj6w/w-d-xo.html

@@OsbornePro can you plz setup EAP-TLS certificate based authentication for vpn clients IKEV2 L2TP and pptp