PEAP and EAP-TLS on Server 2008 and Cisco WLC

Content Table

Introduction
Basic Network Configuration
Installing Active Directory
Installing Certificate Server
Installing Network Policy Server
Create RADIUS Computer Certificate
Configure Network Policy for EAP Authentication
Add Wireless User to Active Directory
Configure Cisco WLC to use RADIUS Authentication
Configure Wireless Client (Windows 7)
Troubleshooting
Conclusion

Introduction

To make wireless networks really secure you should use a RADIUS server to authenticate your users instead of using a pre-shared key. The RADIUS server will handle the authentication requests and uses EAP (Extensible Authentication Protocol) to communicate with users. There are many EAP types and the most popular ones are:

  • PEAP (Protected EAP)
  • EAP-TLS

PEAP is normally used to authenticate users by using a username and password. The RADIUS server will show a certificate to the users so that they can verify that they are talking to the correct RADIUS server. EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate.

This tutorial will walk you through the installation and configuration of Windows Server 2008 using NPS (Network Policy Server) as the RADIUS server for a Cisco wireless LAN controller. We will configure the server so that it supports PEAP using MS-CHAPv2 for password authentication but we’ll also look at EAP-TLS which can be used to authenticate clients using certificates that we will generate on the server. In this tutorial we will configure the following components on the server:

  • Active Directory
  • DNS
  • Certificate Services
  • IIS
  • NPS

Active Directory (AD) is where we store all the user accounts, it’s the central database that we use for authentication. Whenever you install an AD you also require a DNS server. Certificate services will be used to install the server as a root CA so that we can generate a computer certificate that will be presented to wireless clients and to generate the client certificates for EAP-TLS.

IIS is the web server and we will use it so that EAP-TLS clients can easily request a certificate with their web browser for their wireless connection. Last but not least, NPS is the RADIUS server and that’s where we will configure some wireless policies.

I realized that many network engineers are comfortable configuring switches and wireless equipment but might be new to Windows Server 2008. This “how to” was written so anyone without “Windows Server” experience should be able to get the job done.

This is the topology that I will use for this example:

Server 2008 EAP Demo Topology

A fairly simple topology with a single switch that connects the server, WLC and access point together. I’m using a Cisco wireless LAN controller to demonstrate this but the configuration will be the same for any other wireless LAN controller or access point. The configuration for Windows Server 2008 will be the same. There’s plenty of work so let’s get started!

>Basic Network Configuration

Before we start with the installation of Active Directory we’ll fix some basics like setting the correct computer name and IP address.

Computer Name

Click Start > Computer (right mouse click) > Properties.

windows server 2008 computer properties

Click on Change Settings.

Windows Server 2008 System

Click the Change button.

Windows Server 2008 System Properties

Here’s where you will enter the computer name. I’ll use “AD” (Active Directory). You don’t have to change the workgroup name as we’ll turn this computer into a domain controller in a minute. Make your changes and click on OK.

Windows Server 2008 Computer Name

Once you change the computer name you will have to reboot before the changes will occur. Once your server is rebooted you’ll have to change the IP address.

IP address

Make sure you don’t configure any DNS servers as this server will become a DNS server. You don’t have to configure a default gateway but if you have a router that leads to the outside world you can enter it here:

Windows Server 2008 Change IP Address

Once you have configured your computer name and IP address we can continue with the installation of Active Directory.

Installing Active Directory

Active Directory is where we store all the usernames in a central database. To install it we need to add a new role to the server.

Click on Start > Administrative Tools > Server Manager.

Windows Server 2008 Start Menu Server Manager

Click on Roles > Add Roles.

Windows Server 2008 Server Manager Roles

You will be presented with the following wizard. Click on Next.

Windows Server 2008 Add Roles Wizard

Select Active Directory Domain Services and click on Next.

Windows Server 2008 Add Roles Wizard

You will get a notification about adding the .NET Framework feature. Click on Add Requires Features.

Windows Server 2008 AD Features Requested

Click Next to continue.

Windows Server 2008 Add Roles Wizard AD Selected

You will see an introduction about Active Directory Domain Services. Click Next to continue.

windows-server-2008-active-directory-install

Click Next to confirm the installation options.

windows-server-2008-active-directory-install-confirm

You will see the following screen that indicates the installation progress:

windows-server-2008-active-directory-installation-progress

Once the installation is done you might receive a warning about Windows automatic updating. If this is a production server, make a mental note to enable windows updates in the future. Click on Close to continue.

windows-server-2008-active-directory-installation-results

Once Active Directory Domain Services is installed we can create a new domain. Click on the start button and type “dcpromo” (without the quotes):

windows-server-2008-dcpromo

You will see a welcome screen, leave “use advanced mode installation” unchecked and click on Next.

windows-server-2008-ad-domain-services-installation-wizard

You will be presented with some information about operating system compatibility. Click Next to continue.

windows-server-2008-ad-domain-services-compatibility

We will create a new forest with a new domain. Select the second option and click on Next.

windows-server-2008-ad-domain-services-new-domain

The FQDN (Fully Qualified Domain Name) of my forest root domain will be “NETWORKLESSONS.LOCAL”. Click Next to continue.

windows-server-2008-ad-domain-services-FQDN

We will have to select the Forest Functional Level. If you only use Server 2008 R2 or later versions then you can select the “Windows Server 2008 R2″ functional level. If you plan to use older versions of Windows Server then you should use a “lower” functional level. I don’t plan to add any other servers to this network so I’ll select “Windows Server 2008 R2″ and click on Next.

windows-server-2008-forest-functional-level-2008R2

Select “DNS server” and click on Next.

windows-server-2008-ad-domain-services-dns

You will receive a notification that the server is unable to create a DNS entry. This is OK because the DNS server isn’t installed yet. Click on Yes to continue.

windows-server-2008-ad-domain-services-dns-delegation

The default folder structure is fine, click on Next to continue.

windows-server-2008-ad-domain-services-folders

A separate password is used in case you need to restore your Active Directory. I recommend to use a different password than the administrator password for this. Click on Next to continue.

windows-server-2008-ad-domain-services-restore-password

You will receive a summary, click on Next to continue.

windows-server-2008-ad-domain-services-summary

It will take a couple of minutes to install everything, you will see this progress screen:

windows-server-2008-ad-domain-services-progress

Click on Finish to continue.

windows-server-2008-ad-domain-services-completion

The server will ask you to restart, Click on Restart Now.

windows-server-2008-ad-domain-services-restart

Once your server is restarted you will have a working Active Directory and DNS server. The next step will be to install the certificate server.

 Installing Certificate Server

When PEAP wireless clients try to connect to the network, the RADIUS server will present a computer certificate to the user to authenticate itself. It’s up to the client to accept only valid certificates and this will help to prevent spoofing attacks where an attacker might run a fake RADIUS server. EAP-TLS will also use require the computer certificate from the RADIUS server but we’ll also require a client certificate for each user that wants to connect to the wireless network.

In order to do this we will configure our server to become a root CA (Certificate Authority). This allows us to generate a computer certificate and also to generate client certificates.

Click on Start > Administrative Tools > Server Manager.

Windows Server 2008 Start Menu Server Manager

Click on Roles > Add Roles.

Windows Server 2008 Server Manager Roles

Click on Next to continue.

Windows Server 2008 Add Roles Wizard

Select Active Directory Certificate Services and click on Next.

windows-server-2008-add-roles-ad-certificate-services

You will see an introduction to Active Directory Certificate Services. Click on Next to continue.

windows-server-2008-introduction-to-certificate-services

Select Certification Authority. If you want to use EAP-TLS then you should also select Certification Authority Web Enrollment. This will allow us to request client certificates through the web browser which is very convenient.

windows-server-2008-add-roles-certification-authority

Once you select Certification Authority Web Enrollment you will receive a notification that we need to install IIS (Web Server). Click on Add Required Role Services to continue.

windows-server-2008-add-roles-ad-certificate-services-features

Make sure both services are selected and click on Next to continue.

windows-server-2008-add-roles-ca-web-enrollment

The certificate server can be part of the domain and use active directory or run as stand-alone. We want it to use the active directory so select Enterprise and click on Next.

windows-server-2008-ca-type

You can specify if you want this server to be a new Root CA or if you want it to be a Subordinate CA. Select Root CA and click on Next to continue.

windows-server-2008-root-ca

Select Create a new private key and click on Next.

windows-server-2008-new-private-key

The default cryptography parameters are fine, click Next to continue.

windows-server-2008-ca-cryptography

The default CA name is also fine, it will use the computer name and domain name for this. Click on Next to continue.

windows-server-2008-ca-name

The default validity period for the root CA certificate is 5 years. Click Next to continue.

windows-server-2008-ca-validity-period

Click Next to continue.

windows-server-2008-ca-database-location

If you selected the web enrollment option you will see the installation wizard for IIS. You can read the introduction if you like or click on Next to continue.

windows-server-2008-IIS-installation

The default role services are fine, click Next to continue.

windows-server-2008-IIS-role-services

In the confirmation screen you will be warned that you can’t make any changes to the computer name or domain name once you installed the certificate services. Click Install to continue.

windows-server-2008-CA-IIS-confirmation

You will see the following Installation Progress, grab a quick drink…

windows-server-2008-CA-IIS-progress

Once the installation is done you will see another notification that you should enable Windows updates. Click on Close.

windows-server-2008-CA-IIS-installation-results

Right now you have a working Certificate Authority and IIS is running to serve web requests. If you plan to use EAP-TLS we need to enable HTTPS support for IIS, by default it is disabled. If you only want to use PEAP then you can skip this step. Click on Start > Administrative Tools > Internet Information Services (IIS) Manager.

windows-server-2008-iis-start-menu

Click on AD (server name) > Sites > Default Web Site and select Bindings on the right side of the screen.

windows-server-2008-iis-manager

Click on Add.

windows-server-2008-iis-site-bindings

Select https in the Type dropdown box and make sure the SSL certificate has been selected. Click on OK to continue.

windows-server-2008-iis-site-binding-https

This concludes the installation of the certificate server and IIS. We can now move onto the configuration of the RADIUS server.

Installing Network Policy Server

Network Policy Server (NPS) is the RADIUS server that you can find on Windows Server 2008. It has a lot of features and is pretty easy to configure. First we will have to install it.

Click on Start > Administrative Tools > Server Manager.

Windows Server 2008 Start Menu Server Manager

Click on Roles > Add Roles.

Windows Server 2008 Server Manager Roles

Click Next to continue.

Windows Server 2008 Add Roles Wizard

Select Network Policy and Access Services and click Next to continue.

windows-server-2008-server-roles-network-policy-server

Make sure Network Policy Server is selected and click on Next to continue.

windows-server-nps-role-services

You will see the confirmation screen, click Next to continue.

windows-server-nps-confirmation

You’ll see the installation progress…

windows-server-nps-progress

And you’ll see the installation results…

windows-server-2008-nps-installation-results

Click on Close.

The Network Policy server is now installed. In the next part we’ll install a computer certificate that we can use to authenticate the RADIUS server to the wireless clients.

Create RADIUS Computer Certificate

With NPS up and running we are ready to create user and computer certificates. The RADIUS server will have to present a certificate to the wireless users so that they can verify if they are talking to the correct RADIUS server. Let me show you how to check if you have a computer certificate and otherwise how to generate one.

Click on Start and type “mmc” (without the quotes), press enter.

windows-server-2008-mmc

Click on File > Add/Remove Snap-in.

windows-server-2008-mmc-add-remove-snap-in

Select Certificates from Available snap-ins and click on Add.

windows-server-2008-mmc-snap-ins

Select Computer account and click on Next.

windows-server-2008-mmc-snap-in-computer-account

Select Local computer and click on Finish.

windows-server-select-computer

At the right side you can see that he computer certificates are now selected. Click on OK.

windows-server-2008-mmc-selected-snap-ins

Click on Personal > Certificates to see all computer certificates. If everything went OK you should see a certificate that says “Intended Purposes” with Client and Server Authentication.

If you installed NPS on a separate Windows Server 2008 installation, you won’t see a computer certificate here and you’ll have to generate one as well.

windows-server-2008-mmc-computer-certificate

If there’s no certificate, we’ll create a new one. Right mouse click on the white space and select Request New Certificate.

windows-server-2008-request-new-certificate

You will see the following screen, click Next to continue.

windows-server-2008-certificate-enrollment

Select Active Directory Enrollment Policy and click Next to continue.

windows-server-2008-select-certificate-enrollment-policy

Click on Finish.

windows-server-2008-certificate-installation-results

You’ll be back at the MMC and you’ll see the installed certificate. Make sure you see that it can be used for client and server authentication before you continue.

windows-server-2008-mmc-computer-certificate

Your server now has a certificate that can be presented to wireless clients when they request the identify of the RADIUS server. Now we can configure a wireless policy…

 Configure Network Policy for EAP Authentication

Network Policy Server is running but we’ll still have to create a policy for our wireless users.

Click on Start > Administrative Tools > Network Policy Server.

windows-server-2008-network-policy-server-start-menu

Do a right mouse click on NPS > Register server in Active Directory.

windows-server-2008-register-nps-in-ad

You’ll be presented the following screen, click OK to continue.

windows-server-2008-nps-dial-in-properties

And a notification that is has been registered, click OK to continue.

windows-server-2008-nps-authorized

Add Cisco WLC as RADIUS Client

Now we can add a RADIUS client. Don’t confuse the RADIUS client with the wireless clients. We are talking about the wireless LAN controller here. Select NPS > RADIUS Clients and Servers > RADIUS Clients (right mouse click) and click on New.

windows-server-2008-new-radius-client

Enter a friendly name (can be everything but I suggest to use the hostname of the WLC) and the IP address of the WLC. Enter a password in the Shared secret field. We’ll need this once we configure the wireless LAN controller.

Click on OK to continue.

windows-server-2008-nps-radius-client

You’ll be back at the main screen and you will see that the RADIUS client has been added.

windows-server-2008-nps-radius-clients

Create Wireless Policy

Now we can create a network policy. Click on Policies > Network Policies (right mouse click) and click on New.

windows-server-2008-nps-new-network-policy

Give the policy a name, I’ll call it “Wireless”. Leave the type of network access server as Unspecified.

Click Next to continue.

windows-server-2008-nps-policy-name

Now we can specify some conditions. I’ve set the following conditions:

  • Windows Groups: NETWORKLESSONS\Domain Users. By default all users in our Active Directory our member of the domain users group. If you only want certain users to be able to connect to the wireless network then it’s better to create a new domain group for this.
  • NAS Port Type: Wireless – IEEE 802.11. This ensures that the network policy only applies to wireless users.
  • Authentication Type: EAP

Click on Next to continue.

windows-server-2008-nps-policy-wireless-conditions

Select Access granted and click on Next.

windows-server-2008-nps-access-permissions

De-select all options in the following screen. We only want to allow PEAP and/or EAP-TLS.

Wireless Policy – PEAP Authentication

First we will add PEAP authentication to our wireless policy. Click on Add.

windows-server-2008-nps-authentication-methods

Here you can select the authentication types that you want. I’ll start with PEAP. Click on Microsoft: Protected EAP (PEAP) and click on OK.

windows-server-2008-nps-add-eap

You will see it in the overview. Select Microsoft: Protected EAP (PEAP) and click on Edit.

windows-server-2008-nps-peap-edit

Make sure you have selected the correct certificate. This is the computer certificate that will be presented to wireless users when they connect using PEAP. It allows our wireless clients to confirm the identity of the RADIUS server.

Click OK to continue.

windows-server-2008-nps-eap-properties

Wireless Policy – EAP-TLS Authentication

I’m also going to add support for EAP-TLS. Click Add and select Microsoft: Smart Card or other certificate.

Click OK to continue.

windows-server-2008-nps-add-eap-tls

Select Microsoft: Smart Card or other certificate and click on Edit.

windows-server-2008-nps-eap-tls-properties

Make sure the correct computer certificate has been selected and click on OK.

windows-server-2008-nps-eap-tls-certificate

You will now see both EAP types in the list.

Click Next to continue.

windows-server-2008-nps-peap-and-eap-tls

You will see an option to configure constraints, you can use these if you want to restrict access to the wireless network…for example you can set a day and time restriction. If you want to do this, it’s best to leave it alone for now and first make sure that everything is working.

Click Next to continue.

windows-server-2008-nps-constraints

Click Next to continue.

windows-server-2008-nps-network-policy

And click on Finish to complete the configuration of our wireless policy.

windows-server-2008-nps-completed-policy

NPS is running and we have successfully created a policy for wireless users.

Add Wireless User to Active Directory

The wireless policy that we created in NPS allows all users in the “domain users” group to access the wireless network but we still have to create a user account.

Click on Start > Administrative Tools > Active Directory Users and Computers.

windows-server-2008-start-menu-active-directory

Select Active Directory Users and Computers > NETWORKLESSONS.LOCAL > Users and do a right mouse click on the white space on the right side. Select New > User.

windows-server-2008-ad-new-user

You will have to enter some details for the new user account. I’ll call my user “Wifi1″. Click on Next to continue.

windows-server-2008-ad-new-object-user

Enter a password and make sure the “User must change password at next logon” field is unchecked. Click Next to continue.

windows-server-2008-ad-user-password

Click on Finish to create the new user account.

windows-server-2008-ad-user-created

So far so good…Active Directory is up and running with a user account, our server is a root CA and has a computer certificate and we configured NPS for wireless users. Now we’ll have to configure the Cisco Wireless LAN controller to use the RADIUS server for authentication.

Configure Cisco Wireless LAN Controller to use Radius Authentication

Configuring a RADIUS server on the Cisco WLC isn’t difficult. First we’ll have to configure the RADIUS server and the next step is to configure a WLAN profile to use WPA(2)-enterprise mode.

Start your web browser and log into the WLC:

cisco-wlc-login-screen

Add RADIUS server

Select Security > RADIUS > Authentication.

cisco-wlc-security-radius

Click on New.

cisco-wlc-new-radius-server

Here you need to enter the IP address and the shared secret (password) that you created when you configured the RADIUS client in NPS.

Click Apply to continue.

cisco-wlc-radius-fields

Create WLAN for RADIUS Authentication

Now we can create a new WLAN and configure it to use WPA-enterprise mode so it will use RADIUS for authentication.

Select WLANs from the main menu, click on Create New and click on Go.

cisco-wlc-create-new-wlan

I will call the new WLAN “EAP”. Click Apply to continue.

cisco-wlc-new-wlan-settings

Select the General Tab and ensure Status is Enabled. The default security policy is 802.1X authentication and WPA2.

cisco-wlc-wlan-edit-general

Now select the Security > AAA Servers tab and select the RADIUS server that you just configured.

cisco-wlc-wlan-edit-security-aaa

That’s all you have to configure on the Wireless LAN Controller. It’s a good idea to verify that you can reach the RADIUS server from the WLC before you continue. RADIUS uses UDP port 1812 so make sure you don’t have any access-lists or firewalls blocking your traffic between the server and WLC.

Configure Wireless Client (Windows 7)

This is where the real fun starts…it’s time to configure a wireless client to connect to our wireless network. I will be using Windows 7 to demonstrate how to connect using PEAP and EAP-TLS.

If your Windows 7 computer is in workgroup mode (the default) then you will have to import the root CA from the windows 2008 server yourself otherwise you will get an error that the client doesn’t recognize the root CA. This is normal because we created a new root CA and generated a new certificate. When your computer has joined the domain then you can skip this step because it will automatically receive the root CA from the domain controller.

Let me show you how to import the root CA on your Windows 7 computer, if you joined the domain then you can skip this step…

Export root CA from Server

First we will have to export the root CA from the server. Normally you can find it in a shared folder on the server. Connect your client using a network cable and open the shared folder on the server:

\\10.82.2.50\CertEnroll

If you don’t have a network cable or you can’t access the shared folder then it’s also possible to export the root CA from the server ourselves. Go to the server and open MMC:

Click on Start > type “MMC” (without the quotes) and hit enter.

windows-server-2008-mmcSelect File > Add/Remove Snap-In.

windows-server-2008-mmc-add-remove-snap-in

Select Certificates from the available snap-ins and click on Add.

windows-server-2008-mmc-snap-ins

Select Computer account and click on Next.

windows-server-2008-mmc-snap-in-computer-account

When you see Certificates (Local Computer) on the right side you can click on OK.

windows-server-2008-mmc-selected-snap-ins

Select Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates. On the right side you will your root CA. Select it, do a right mouse click and select All Tasks > Export.

windows-server-2008-export-root-ca

You will see the Certificate Export Wizard. Click Next to continue.

windows-server-2008-certificate-export-wizard

Don’t export the private key. Click Next to continue.

windows-server-2008-certificate-export-private-key

Select the DER encoded binary X.509 (CER) file format and click Next.

windows-server-2008-certificate-file-formats

Choose a folder and filename and select Next.

windows-server-2008-certificate-save-as

And click on Finish to complete the export.

windows-server-2008-certificate-export-completed

Copy the certificate that you just exported to a USB stick or something and move it to your Windows 7 computer.

Import Root CA to Windows 7

Double click on the certificate file that you just exported on your Windows 7 computer and you will see the following screen. Click on Install Certificate.

windows-7-certificate-install

Click Next to continue.

windows-7-certificate-import-wizard

Make sure the Trusted Root Certification Authorities store has been selected. If not click on the Browse button and select it. Click Next to continue.

windows-7-certificate-store

Click Finish to complete the certificate import wizard.

windows-7-certificate-import-completed

You might get a security warning that you are about to trust a new root certificate. Click Yes to continue.

windows-7-certificate-security-warning

We are almost done, we also have to add this certificate in the Windows registry or your computer will still not trust the root CA. If you want to know the exact reason you can look at KB 2518158 on the Microsoft Website.

Click on Start > type “cmd” (without the quotes) and hit CTRL+SHIFT+ENTER. This will open a command prompt with administrative rights.

C:\Users\vmware\Desktop>certutil -f -enterprise -addstore NTAuth AD.crt
NTAuth
Signature matches Public Key
Certificate "CN=NETWORKLESSONS-AD-CA, DC=NETWORKLESSONS, DC=LOCAL" added to store.
CertUtil: -addstore command completed successfully.

Your computer now trusts the root CA. We can now connect to the wireless network.

Configure Wireless Profile for PEAP

We’ll create a new profile to connect using PEAP.

Open Control Panel and select Manage wireless networks.

windows-7-control-panel-manage-wireless

Click on Add.

windows-7-manage-wireless-networks

Select “Manually create a network profile“.

windows-7-manually-create-network-profile

Enter the network name, select WPA-Enterprise or WPA2-Enterprise and click on Next.

windows-7-wireless-security-profile

Select Change connection settings.

windows-7-wireless-profile-created

Select the Security tab , choose Microsoft: Protected EAP (PEAP) and click on Settings.

windows-7-peap-settings

Select Validate server certificate. You should see the root CA that we imported here but you don’t have to select it. Your computer will trust all root CAs in this list by default when you connect to a wireless network.

Make sure the authentication method is Secured password (EAP-MSCHAP v2) and press the configure button.

windows-7-peap-properties

Uncheck the button that wants to automatically use the windows username/password for authentication. Click OK to continue.

windows-7-eap-mschapv2-properties

Click OK until you return at the EAP Wireless Network Properties and select Advanced Settings.

windows-7-eap-advanced-settings

Select specify authentication mode and choose for user authentication. Click OK to continue.

windows-7-eap-user-authentication

Keep clicking on OK until you are out of the wireless profile configuration, you are now ready to connect to the wireless network using PEAP. Look for the wireless icon in the taskbar, select the wireless network and click on Connect.

windows-7-available-wireless-networks

 

You will see a pop-up that asks for your credentials. Enter the username and password that you configured in Active Directory and click on OK.

windows-7-wifi-username

And you will see that you are now connected:

windows-7-wireless-connected

Congratulations! You just authenticated a user through PEAP. In the next part I’ll show you how to authenticate the user by using EAP-TLS and a client certificate.

Configure Wireless Profile for EAP-TLS

To authenticate a wireless user through EAP-TLS instead of PEAP we will have to generate a client certificate. Connect your Windows 7 computer to the network so that you can access the server, open a web browser and enter the following address:

https://<ip-of-server>/certsrv

You will see a pop-up that asks for credentials. Enter the username and password of the wireless user that requires a client certificate and click on OK.

windows-7-certsrv

Select Request a Certificate.

If you are using Internet Explorer 10 you might receive a warning that says “This Web browser does not support the generation of certificate requests.” . You need to enable IE10 compatibility mode to solve this problem.

windows-7-certsrv-request-certificate

Select User Certificate.

windows-7-user-certificate-request

Select Yes.

certsrv-web-access-confirmation

And click on Install this certificate.

certsrv-install-certificate

You will see a notification that the certificate has been installed.

certsrv-certificate-installed

Now we can change the wireless profile that we created earlier for PEAP to use EAP-TLS instead. Do a right mouse click on the EAP wireless profile and select Properties.

windows-7-manage-wireless-profile-peap

Select Microsoft: Smart Card or other certificate and click on OK.

windows-7-wireless-smart-card-certificate

Now try to connect again to the wireless network, select the correct profile and click on Connect.

windows-7-available-wireless-networks

And you will be connected to the wireless network!

windows-7-wireless-connected

 

Congratulations…you just connected using EAP-TLS!

Troubleshooting

If everything went OK then you now have a working wireless network that offers PEAP and EAP-TLS authentication. There are many components in this tutorial so troubleshooting might be difficult sometimes. Your best friend is the Windows event viewer on the server as it will give you all errors. It’s best to look for the security event log and to check for the network policy server notifications. These will give you a lot of information when you are unable to authenticate your wireless users. If you run into any issues, let me know and I’ll add the troubleshooting steps here.

Conclusion

I hope this tutorial has been helpful to you to install a Windows Server 2008 machine to act as the RADIUS server for your (Cisco) wireless network that offers EAP-TLS and/or PEAP authentication. If you have any additions or questions feel free to leave a comment and I’ll do my best to answer them. If you enjoyed this tutorial. please share it!

Digiprove sealCopyright protected by Digiprove © 2013 Rene Molenaar

Tags: , , , , , , ,

90 Responses to “PEAP and EAP-TLS on Server 2008 and Cisco WLC”

  1. Francis June 20, 2013 at 4:55 pm #

    Great Peace there, for the purpose of practice, i have a Linksys wireless Router I share my internet with friends on the same apt. My Isp assigns me IP Dynamically through a modem and connected to them(ISP) on PPoE style. I want to implement this so my friends don’t log other friends behind my back. Onces they are logged on no second login with same credentials can be logged

    Thank You

    • Rene Molenaar June 21, 2013 at 7:27 pm #

      Using PEAP will work well because you can track what usernames are accessing your wireless network, and you can permit just a single login for each user.

      It does take time to setup the radius server, freeradius is a nice and simple alternative for the Microsoft solution btw.

      • sindy July 18, 2013 at 1:23 pm #

        Useful explanation! I want to use EAP-TLS for authentiation with wlc 5508, but :
        1- do I have to install certificate on all clients asset?
        2- I want that client will have no thing to do only select the SSID without any settings to do (if it’s not possible this means that I have to configure 200 assets!)

        • Rene Molenaar July 18, 2013 at 5:10 pm #

          If you want to use EAP-TLS then you will need client certificates and yes somehow you will have to provision these to your clients. For Windows computers in the domain you can use group policy to auto-enroll certificates and auto-configure the wireless profile.

          For Apple devices you can look for “MDM” which is meant to configure iPhones and iPads on a large scale. There’s probably also something for Android devices…

          • sindy July 19, 2013 at 9:01 am #

            Exactly, what I want is to push out the policy on end user devices: the client have only to accept the certificate and the process will transparent for him, no configuration to do.
            could you help me on how to realise it?

            Regards

          • Rene Molenaar July 19, 2013 at 9:02 am #

            This is possible but it depends on the client. Are you talking about Windows 7 laptops or other devices like Apple or Android?

          • sindy July 19, 2013 at 9:55 am #

            Sorry but I don’t find to replay to your post bellow, this is why I answer here.

            then yes, I talk about windows 7 and XP laptop and when I solve this categorie I will probably need to do the same in android, if it’s not possible then could you make a post please with what’s possible to realise?

          • Rene Molenaar July 19, 2013 at 10:14 am #

            Are your Windows XP / 7 laptops in the domain or in a workgroup? Domain is easy since you can use group policy to enroll the client certificates and configure the wireless profile for them. If they are in a workgroup then you’ll have to do some scripting if you want everything to be auto-configured. It’s also not a bad idea to create a simple user manual so that users can get a certificate.

            Android devices are difficult to “auto enroll”. I’m not sure if there is management software that can do this…I know there is for Apple (google for Apple MDM).

          • sindy July 19, 2013 at 10:34 am #

            Yes, all laptops are already on a specific domain

          • sindy July 19, 2013 at 10:40 am #

            I’ve a problem, I noted that 80% of laptops are on a domain and the rest of on other domain. Is there a solution for this?

          • Rene Molenaar July 19, 2013 at 2:50 pm #

            There probably is. You could create some trust relations between domains, or create a script or something to do automate the following: http://networklessons.com/wireless/peap-and-eap-tls-on-server-2008-and-cisco-wlc/#Configure-Wireless-Client

          • sindy July 29, 2013 at 10:41 am #

            Hi Rene,
            Could you please make a post with EAP-TLS authentication by using Apple devices or Android?
            Many thanks in advance

          • sindy July 29, 2013 at 10:54 am #

            Thank you Rene

      • sindy July 18, 2013 at 4:14 pm #

        Many thanks for the explanation. my company has over then 200 lap top, how to proceed?
        what about the DNS because we already a DNS and ip address are delivered automatically.

        • Rene Molenaar July 18, 2013 at 5:11 pm #

          So what exactly is your question? In my example I installed DNS because Active Directory requires it. If you have an Active Directory then you can use your current DNS?

          • sindy July 19, 2013 at 9:19 am #

            To be more clear, I’ve already an architecture with AD and DNS… but as I’m quite new to this stuff, I’ve installed a new windows server 2008 and I follow your steps, and for this should I install a new active directory? or is it possible to make a link to the existing AD or simply copy the groups to the new AD?

          • Rene Molenaar July 19, 2013 at 9:47 am #

            If you have an AD and DNS then you only need to install the CA and NPS roles. I wouldn’t recommend to implement this right away in your production environment, best to try everything first in a test lab using vmware or virtualbox to understand how all components work together.

      • Sam July 23, 2013 at 7:14 am #

        Thank you Rene for the explanation, it’s very helpful.
        I’m trying to implement your examlpe, I’ve created a test lab, I’ve installed a windows server 2008 R2 on a VMare and I want to use a new AD from the server 2008 (not the existing from the production architecture), then I have 2 questions:

        1- As the server is on a VMare what precautions should I take, to isolate my test LAB to don’t disturb the production installation?
        2- for the test I’ll install the AD and DNS (all your steps) but when I want to migrate to the existing AD and DNS how can I proceed? sould I remove AD and DNS from the server 2008, is it sufficient ?

        • Rene Molenaar July 24, 2013 at 9:12 pm #

          Make sure your is not connected somehow to your production network as you might run into issues. I use a separate VLAN on my switch for testing purposes. If you only want to practice with the servers in VMWare then you can set the NICs of your VM guests to use another physical NIC or host-only.

          Removing the AD and DNS roles is possible but I always prefer to start with a clean setup. See if you can get everything up and running in VMware and if it works, re-build it for the production network. When you install some roles and remove them later, you never know what kind of “leftovers” you might find later…

          • Sam July 25, 2013 at 7:38 am #

            I’ve choose the eap tls method through deploy a GPO, I followed all your steps, but when I try to connect to SSID it’s impossible, nothing happens.
            after, on my laptop I checked the existing certificate :
            I found my wireless certificate in the tab ” trused Root certificate authority”
            and on the tab “personnal” no certificate. then this is why nothing happens. I don’t know how troubleshoot this problem. do you have any idea?
            perhaps on the wlc I forgot something to configure?

          • Rene Molenaar July 25, 2013 at 8:21 am #

            Sounds like a client problem. It should have a user certificate. The WLC doesn’t know anything about certificates…it’s only configured for 802.1X. It’s best to check the event viewer of the server running NPS to see why a client wasn’t able to connect.

          • Sam July 25, 2013 at 9:03 am #

            I’ve opened the event viewer of the server running NPS, to gain time, could you indicate to me on which tab I’ll begin the troubleshooting?

          • Sam July 26, 2013 at 9:10 am #

            it works! but I added some steps like installing certificate on wlc, how did you do this automatically?

          • Rene Molenaar July 26, 2013 at 9:54 am #

            Hi Sam,

            There is really no need to install a certificate on the WLC for PEAP or EAP-TLS. The WLC just sits in the middle and only requires a configured radius server and the SSID for WPA(2)-Enterprise..that’s all.

          • Sam July 29, 2013 at 10:52 am #

            what about the validity of certificate?
            If I want to provide a perpetual validity, how can I set it with EAP-TLS authentication?

          • Rene Molenaar July 29, 2013 at 10:54 am #

            Hi Sam,

            When you setup the certificate template for the user you can change the validity period for the user certificate.

            Rene

          • Sam July 31, 2013 at 9:56 am #

            Hi Rene,
            Thanks for the help, it works fine :-)
            Now, I want to create a policy or some thing else concerning private asset of employee.
            For this, I’ve created a new SSID for employee’s private asset then I’ve used web authentication on wlc via web portal and AD credentials.
            it works fine but after 2 days the employee must to re-enter his login and my question is:
            is it possible when the employee connects for the first time to capture his mac address (his private asset) and store it on NPS (radius) and perhaps on wlc I may use these option: MAC filtring and web policy on MAC filter failure, but till now without success, do have you any idea?

          • Rene Molenaar July 31, 2013 at 10:06 am #

            Hmm I believe NPS can do MAC based authentication but I’m not sure if it can “store” the MAC address of a device after successful authentication. I also don’t recommend doing any MAC based authentication, especially for wireless since MAC address are always unencrypted in the air and easy to spoof. It doesn’t add any protection at all…

        • Sam July 31, 2013 at 11:11 am #

          Yes, you’re right but in addition to mac filtering I have to use a layer 2 or 3 authentication.
          Then, no solution BYOD with cisco wlc and windows?

          • Rene Molenaar August 7, 2013 at 7:54 am #

            But why exactly do you want to add the MAC authentication next to a decent layer 2 or 3 authentication?

          • Sam August 12, 2013 at 4:10 pm #

            Hi Rene,
            I found that to solve the BYOD problem we can use an open source solution such as packetfence ….
            I’m trying to implement this solution but I faced some difficulties, did you test already this solution or another open source solution?
            I think that with your lessons it’s easiest to implement because you explain very good!

          • Rene Molenaar August 12, 2013 at 4:42 pm #

            Hi Sam, I haven’t tried packetfence yet but I have to say it looks pretty cool. It uses freeradius as the radius server instead of Microsoft nps. If you want to give this a serious shot I would first try to get PEAP and or EAP-TLS working through freeradius before diving into packetfence.

            Rene

          • Sam August 13, 2013 at 7:13 am #

            I think that’s better if you let NPS for professional authentiaction and use freeradius for BYOD (guest+ personnal devices of employee)?

          • Rene Molenaar August 13, 2013 at 3:25 pm #

            Corporate devices should be authenticated using 802.1X / RADIUS because it’s far more secure than a pre-shared key. I wouldn’t use 802.1X for personal devices because of the administrative overhead (configuring wireless profiles).

            For guest users it’s best to create a captive portal and keep the wifi ‘open’ or use a pre-shared key. Make sure all ports are disabled with the exception of basic stuff like http, https and such.

  2. Robson de Carvalho June 24, 2013 at 2:54 pm #

    Many thanks dear… perfect post

  3. sindy July 18, 2013 at 1:24 pm #

    Useful explanation! I want to use EAP-TLS for authentiation with wlc 5508, but :
    1- do I have to install certificate on all clients asset?
    2- I want that client will have no thing to do only select the SSID without any settings to do (if it’s not possible this means that I have to configure 200 assets!)

  4. Rakesh August 1, 2013 at 4:09 pm #

    Hello Rene,

    Thank you for explaining this brilliantly. I have both PEAP and EAP-TLS working. But using EAP-TLS I am having issues with the CRL revocation list. I am using computer certificates and when I revoked the certificate for a particular computer, it can still connect to the wireless network. I have been checking lots of forums but still cannot get this working. Can you please suggest something ? Thank you

    Rakesh

    • Rene Molenaar August 1, 2013 at 4:56 pm #

      Hmm good question, I would have to check it to see how it’s done. If I have some spare time I’ll try it.

      • Rakesh August 6, 2013 at 9:24 am #

        Thank you Rene.

  5. Cam August 6, 2013 at 7:35 pm #

    Can I avoid installing the Certificate Server and use the wlc for cert instead
    Thanks
    Noob on wireless so this site has been very useful

    • Rene Molenaar August 7, 2013 at 7:53 am #

      Hi Cam,

      Unfortunately not. The certificate on the WLC is meant for web authentication, not for user authentication. You’ll really need a CA and a radius server for EAP-TLS.

      Rene

      • Cam August 7, 2013 at 1:02 pm #

        Thanks again
        Will do cert server

  6. Nurisa August 24, 2013 at 12:57 pm #

    my final project year title is IMPLEMENTING SECURE WIRELESS NETWORK TRAFFIC USING EXTENSIBLE AUTHENTICATION PROTOCOL with TRANSPORT LAYER SECURITY (EAP-TLS) . in your opinion, It is related with your post here???

    • Rene Molenaar August 24, 2013 at 1:03 pm #

      I guess it’s your lucky day then as this is post is 100% about configuring EAP-TLS. You might have to read up on the theory but this is how the implementation is done.

  7. Nurisa August 24, 2013 at 1:09 pm #

    thats mean,, EAP-TLS configuration does not require routers and switches?

  8. Nuisa August 29, 2013 at 4:28 am #

    sir,, what is the advantages that we can get by using EAP-TLS compare to other network security?

    • Rene Molenaar August 29, 2013 at 7:54 am #

      When you want to use WPA/WPA2 you have two options:

      1) Personal (pre-shared key)
      2) Enterprise (802.1x)

      The problem with the pre-shared key is that you have no control over the key…it can be shared with everyone so it’s not a scalable solution.

      Enterprise is far more secure and supports multiple EAP types. The most advanced one is EAP-TLS which requires certificates for the client and the server for authentication. The client will check if it’s talking to the correct server and the server will check if the client is allowed to connect to the wireless network.

  9. Karthik August 29, 2013 at 9:21 am #

    Hi Rene,

    Thanks for your post. It was very easy to configure EAP-TLS without any N/W background.
    I have one doubt. I have one IP camera which supports 802.1x using EAP-TLS and there is option in its setting tab like “EAPOL version, ID, Password, CA certificates, Client certificates and Private key”. from where I can get all these.

    Also you explained about setting up RADIUS server in CISCO network cotroller. But here I have Linksys EA4500 wireless router and it does not have these option.

    So kindly help me to setup 802.1x environment for this scenario.

    Thanks in advance
    Karthik

    • Rene Molenaar August 29, 2013 at 10:31 am #

      Hi Karthik,

      You should be able to select WPA(2)-Enterprise on your EA4500 router instead of WPA-Personal (Pre-shared key).

      Devices like printers and cameras can be authenticated using EAP-TLS but it’s more troublesome. What I would do, is follow my guide in this tutorial about getting a personal certificate on the windows 7 computer. You can probably use the same certificate for your camera…if it doesn’t support a personal certificate you’d have to use a computer certificate but that goes beyond the content of this tutorial :)

      Rene

  10. Scha September 1, 2013 at 12:46 pm #

    Hi Rene.
    Can you list all type of hardware and software that you use to do this tutorial ?? :)

    • Rene Molenaar September 2, 2013 at 7:32 pm #

      You don’t need much:

      – Windows Server 2008 R2 (just run it in vmware workstation or virtualbox)
      – Windows 7 Client with wireless adapter.
      – A wireless access point that supports WPA(2)-Enterprise.

  11. Adhibi September 11, 2013 at 3:40 pm #

    Can i configure a peap authentication without installing certificate server ??
    ;)

    • Rene Molenaar September 12, 2013 at 8:49 am #

      Yes and clients can even choose to ignore a server certificate. If you do it this way then you still have username/password authentication and the advantage of per-session encryption keys but the downside is that it’s possible for attackers to spoof the RADIUS server.

  12. Ken September 11, 2013 at 8:07 pm #

    Hi Rene, I am trying to do this setup at my work and am having issues. we have a server for each.. for instance cert server (deal with certificates) , DHCP server ( has NPS installed) , DNS server, WLC. , DC (AD).

    I followed all of your instructions.. and I am trying to connect a laptop that is not on the domain so I followed your instruction on exporting the cert from the NPS server to my windows 7 laptop. and I followed all configures same as you..

    but when I add my ssid to the windows 7 and all the same setting as you sugguested for connecting PEAP.. I get to the point where it prompts me for user name and password.. and I input that it seems like it never gets authenticated.. even tho I supplied it with the correct user name and password.. that username and password box keeps popping up and asking me to input the information over and over again.. any idea what I am doing wrong ? or where I should look for to troubleshoot this ?

    Thanks.

    • Rene Molenaar September 12, 2013 at 8:53 am #

      Hi Ken,

      You should first look at the event viewer, especially the security section. I would start at the NPS server because it will tell you why clients have been permitted or denied, and if denied…it will show you the reason.

      Rene

      • Ken September 12, 2013 at 8:56 pm #

        Hi Rene.
        Thanks for the reply.. I checked the event viewer under security and also under the NPS roles in event viewer and It does not show anything denied or permitted…no errors as well. its strange that It did not log my login attempts, any idea why it does not log my login attempts ?

  13. Scha September 20, 2013 at 1:45 pm #

    Hi Rene,, can you give me example of wireless access point that supports WPA(2)-Enterprise??

    • Rene Molenaar September 20, 2013 at 6:20 pm #

      Any access point from the last 5 years should do the job. Even the cheap ones…

  14. Kyle October 7, 2013 at 2:53 am #

    Hi Rene,, i need an explanation for this question…
    Do i have to use wlc,, or can i just connect from server to AP ??

    sory newbie in server

    • Rene Molenaar October 7, 2013 at 2:54 pm #

      Hi Kyle,

      Most standalone access points support WPA(2)-Enterprise so you can use them for this setup.

      Rene

  15. Amit October 26, 2013 at 12:55 pm #

    Dear Sir,

    very good article i like it but my scenario is change from it we have a wired network on cisco based switch and creating diffrent-diffrent vlan in this condition how can we iplement radius for both wire and wireless network

    please help

    • Rene Molenaar November 11, 2013 at 10:07 am #

      Hello Amit,

      This tutorial about wireless is about 90% the same as for wired authentication, instead of using the Wireless LAN Controller you’ll have to configure your switch for 802.1x port-based authentication. I don’t have a tutorial ready for it but it’s quite easy to configure, plenty of examples on Google. You can use this tutorial for the configuration of the radius server itself.

  16. Iancul February 3, 2014 at 3:49 pm #

    Hello Rene,

    Thank you for this guide. However I have a question for you:
    -I am trying to create a network policy in which to connect to the nps from a linux or any other device just by using the active directory username and password (NO CERTIFICATE INVOLVED) and I can’t find how to achieve this for the life of me. Could you please help?

    Thanks,
    Iancu

    • Rene Molenaar March 10, 2014 at 2:11 pm #

      Hi Iancu,

      You can do this just like I did in my tutorial. Configure NPS to use Active Directory and then authenticate users against NPS. It will do a lookup in Active Directory. If you just want username/password authentication you can stick to PEAP…forget about EAP-TLS.

      Rene

  17. Getheme February 6, 2014 at 6:15 pm #

    Hello I encounter an issue when I configure EAP-TLS on the wired interface for user authentication. I already auto-enroll user and computer certificate by a GPO. When I try to authenticate the user and the computer, it works well. But the problem is that when a user try to connect to another computer, due to the fact his certificate isn’t already download from the Active Directory. We receive a message which display that “a certificate is required for network connection”. Is it possible to increase the time before processing EAP-TLS authentication request to allow the user to download his certificate before authentication.

    My NPS is Cisco Identity Service Engine, I configured 802.1X on the switch.

  18. Richard March 3, 2014 at 3:33 pm #

    Hi Rene,

    i have read many posts but this is more comprehensive.

    Our production is a mixture of different hardwares(WNIC), OS Versions and smart phones. i’m not sure if EAP-TLS and/or PEAP is supported. Can i configure(fallback) a basic authentication(passphrase) for certain wifi user if something went wrong? should i repeat the same steps above to configure redundant NPS/RADIUS Servers?

    Thanks .

    • Rene Molenaar March 10, 2014 at 1:21 pm #

      Hi Richard,

      For a single SSID you can use only choose between WPA(2) personal (pre-shared key) or enterprise (RADIUS). If you want to have a fallback mechanism between the two then it’s probably best to use two SSIDs. You could use EAP-TLS or PEAP perhaps for devices that need access to certain LAN resources. Other devices could perhaps use a pre-shared key but only for Internet access or something.

      RADIUS authentication makes wireless far more secure but it it will take more time to implement and manage it.

      Rene

      • Richard April 5, 2014 at 3:29 am #

        Thanks Rene,

        it is now working, and i’m trying to have it approved for implementation.
        EAP-TLS is working, if you use the same laptop to install 2 certificates(for 2 user) generated by the web enrollment, it shows a drop down menu( certificate A & B) before you can connect to WiFi, if one decided to remove Certificate A from the said laptop, because the laptop will be used by another person. how should i do this? i been trying do google “DELETING CERTIFICATE OF EAP-TLS”, but no luck..ive also check MMC-Certificate-Personal. nothing seems related to the EAP-TLS-issued certificate.

        does the certificate reside in the CA? revoking it will solve my dilemma?

        Thanks again..

  19. Nuwan Nalinda May 23, 2014 at 8:28 am #

    dear sir
    i have one question. if windows 7 computer join domain will they get certificate automatically ? if we have 100 lap top on the domain do they have 100 different certificate ?
    thanks

    • Admin May 23, 2014 at 2:04 pm #

      It doesn’t happen as soon as you join a computer to the domain but you can configure auto-enrollment for user certificates.

  20. Tony Ang June 12, 2014 at 2:29 am #

    Thanks for this great piece of work. Explained beautifully.

  21. Omid June 22, 2014 at 7:39 am #

    Hi Rene ,
    Thank you very much for your great and very useful tutorial, as we have a mixture of mobile phones and corporate laptops, we would like to have AAA authentication in place to see at least our connected users’ usernames in the management consoles, the question is that; is it possible to have PEAP authentication on our mobile phones without installing certificate on them? I followed and configured your instructions and it worked like a charm, but personally I could not connect to the PEAP wireless network with my Iphone neither no body else.
    would you please elaborate more on this topic and help me if there is other way for authentication without installing certificate on mobile phones?
    I really appreciate your work.

    • Rene Molenaar June 25, 2014 at 7:46 am #

      Hi Omid,

      You are welcome. If you use PEAP, the clients don’t require a client certificate (that’s what EAP-TLS is for) and normally you can disable the validation of the server certificate. This means that the clients won’t check the server certificate and only the username/password is checked by the server. This works for Windows 7, Android devices and I’m 99% sure that you can do it on the iPhone / iPad.

      Rene

  22. Mvd July 11, 2014 at 1:37 pm #

    Hello,
    very nice blog!
    One question.
    My clients will receive the following question when connecting :

    Enter your username and password
    Use my windows user account

    Connect using a certificate

    Is there a GPO to automate this so this question is skipped?

    Thx

    • Rene Molenaar July 11, 2014 at 2:41 pm #

      Hmm good question, have you checked the advanced properties? there should be an option to remember the PEAP credentials for Windows 7 or 8. Once you are connected:

      1) View connection properties
      2) Open the security Tab
      3) Advanced Settings
      4) Replace credentials
      5) Enter credentials and hit OK.

      That should force Windows to remember the credentials instead of asking for it over and over again. If it doesn’t work…maybe there’s a GPO that can do this but I don’t know it the top of my head :)

  23. Francisco July 20, 2014 at 6:17 pm #

    Hi Rene,

    Fist thanks so much for this tutorial,
    I just start my career as pen-tester (Attacking Wireless devices “BT5/ Kali Linux) So far, this I done !
    1. Bypassed Mac filter
    2. Bypassed SSID not broadcasting
    3. Crack WEP passwords
    4. WPA/WPA2 – Shared
    Now I plan to do attacks for WPA2- Enterprise 802.1x EPA and bypasss IDS/IPS. I am doing pertest to a client that it is implemented Radius serve /CA.
    I know there are two flavor on AAA server
    * Radius – UDP/ Open
    * Tacacs+ + TCP/ Cisco
    My concern is first to attack Radius Server and recommend Tascacs+ as more secure for several attacks ( MIT, Spoof mac etc).

    My questions are :
    Do you ever heard or is possible bypassed Radius server?
    Based on your experience what are advantage/ disadvantage for Radius VS Tascacs+ ?

    Thank Rene you tutorial is so nice :)

    • Rene Molenaar August 6, 2014 at 11:18 am #

      Hi Francisco,

      You are welcome. Wireless pentesting is pretty fun and a good method to learn more about wireless. There are a couple of RADIUS related attacks that you can do from the wireless side.

      The first one you might want to try is LEAP as it is vulnerable to offline dictionary / brute-force techniques. We don’t use LEAP anymore in the field…

      PEAP is also fun, the wireless client only has to authenticate the radius server so it’s possible to spoof it. When the client sees the certificate of the fake radius server they have to decide if they want to accept the certificate or not…if they do, you get some authentication information you can use for offline attacks.

      Bypassing the radius server from the wireless side isn’t possible (as far as I know)…maybe you can mess with it from the LAN side with a mitm attack but I haven’t tried that before. Radius doesn’t encrypt everything so on the LAN you might be able to sniff usernames and some other information.

      Tacacs+ encrypts everything so it is more secure, I think that radius however is still more popular…I see more radius servers than tacacs in the field.

      You might enjoy this book:

      networklessons.com/bt5wireless

      It covers most of the wireless attacks using backtrack or kali.

      Rene

  24. erick July 31, 2014 at 1:49 am #

    Hi guys im facing this error. Can you help me?
    The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    • Rene Molenaar July 31, 2014 at 1:06 pm #

      Hi Erick,

      It sounds like your client is trying to authenticate with an EAP type that your radius server does not accept. For example, when your client is configured for PEAP and your radius server only accepts EAP-TLS then you’ll get this error as well.

      Rene

  25. DDR September 5, 2014 at 12:07 pm #

    Hi All
    Thanks for the well presented instruction. i Have my controller configured and the clients are authenticating fine to the wireless network. My problem lies with my Management users. I have run a debug on the WLC and found the AD user does authenticate successfully but i still cant login to the controller. i just get the username and password presented again. any suggestions?

    • Rene Molenaar September 11, 2014 at 10:39 am #

      Hmm good question, normally authentication for admins is easier then wireless users. Anything in the log of the WLC?

  26. Shamal September 8, 2014 at 6:44 am #

    Thanks. It really helped.

  27. Ruslan September 17, 2014 at 5:20 pm #

    Hello Rene,
    Thanks for the well presented instruction.
    Can you please explain if we can use PEAP And EAP-TLS for the same wireless device (client)?

    • Rene Molenaar September 22, 2014 at 10:37 am #

      Hi Ruslan,

      Yes you can, you can allow both PEAP and EAP-TLS. There’s no point doing it though, if you allow PEAP then why do you want EAP-TLS? :) Better to enforce the most secure method (EAP-TLS).

      Rene

  28. Efrangi September 18, 2014 at 12:28 pm #

    Hello Rene,

    I have a question and I appreciate your help,

    as per my understanding, when I am using PEAP authentication.
    PCs within the Domain will only have to lookup the wireless SSIDs -> connect to the specified SSID -> the certificate should have been pushed by the AD earlier ->and then will be prompted for username/password

    PCs outside the domain, OPTION1 import the certificate manually and then connect the same way as domain PCs. what other options do they have?

    what about android and iphone devices?

  29. Bubba198 September 18, 2014 at 8:59 pm #

    Great post René!

    Isn’t there a way to make this work WITHOUT deploying Active Directory PKI but instead buy a certificate from Go Daddy and likes and import it onto the NPS server?

    Two birds with one stone; validation will work AND you don’t have to deploy Active Directory PKI! Where does one buy the authentication purpose cert — one issued as Authentication purpose cert 1.3.6.1.5.5.7.3.2

    • Rene Molenaar September 19, 2014 at 5:49 pm #

      Hi Bubba,

      Good question, you should be able to get a server certificate from a CA that you can use for PEAP. You can’t do it with godaddy?

      If you want to run EAP-TLS…not sure if you can generate client certificates somewhere…

      Rene

Leave a Reply