3

We're a small office and have a Cisco Aironet 1250 access point set to WPA-PSK. Now that we've deployed Active Directory I'd like start authenticating my users via radius instead of a PSK.

To this end I've installed NPS on my SBS 2011 server. The WiFi clients are some company-laptops, some personal iPhones, iPads, Android phones, etc. I.e. a mix of all kinds of devices, not all joined to the domain.

It appears that all authentication methods that involve radius that the Aironet supports require some kind of PKI infrastructure. I managed to easily configure our Cisco ASA 5505 to authenticate IPSEC VPN clients against the same radius server, but can't figure out how to set up the Aironet. Do I really need to install my NPS-server's cert on all those devices, like I've seen some people suggest?

Martijn Heemels
  • 7,728
  • 7
  • 40
  • 64

1 Answers1

4

Cisco Access points can use two common forms of 802.1X per-user authentication. 802.1X EAP would require certificates for the NPS server, the client computers, and the client users. This is most often only accomplished by using smart cards so the user's certificate follows them.

The other, and more common, method of using 802.1X to do per-user authentication is 802.1X PEAP, which uses a certificate on the NPS server so the clients can validate the server, and the user's Windows username and password for client authentication when the user logs on. Additionally, the Windows domain computer account is used for wireless authentication when no users are logged on, so it is important to remember if you are using groups in the NPS rule, include a group that has all computers in addition to all users.

Note that the access point does not get a certificate. The client is called the "supplicant" and the server needs to authenticate it. The NPS server is the "authentication server," and the clients need to authenticate it. However, the access point is called the "authenticator" and is being a middle man between the supplicant and the authentication server, so clients do not need to authenticate it. The NPS server "authenticates" the access point by virtue of the RADIUS shared secrets.

Finally, this does not need to be a publicly trusted SSL certificate. You can set up an Enterprise CA on your domain, and all computers on the domain will trust it.

Hope this helps!

-Eric

Eric P.
  • 106
  • 2
  • Thanks for the clear explanation. I'd like to avoid installing any SSL certs on the non-member devices, such as tablets. Will that work by using PEAP and a publicly trusted SSL cert on the NPS server? Which CN would the cert need to be for? – Martijn Heemels Dec 23 '11 at 12:18
  • I found the following article talking about the certificate requirements, and it appears the common name only needs to be the internal FQDN of the server. http://technet.microsoft.com/en-us/library/cc731363.aspx. Unfortunately I do not have personal experience with using a publicaly trusted certificate for NPS, only enterprise CA certs. – Eric P. Dec 23 '11 at 17:57