Cisco 9800 802.1x + EAP-TLS using Windows Server CA and NPS

This post covers the process of configuring Windows RADIUS (NPS), Certificate Authority (CA), deploy Wireless Profiles using Group Policy (GPO) on Windows Server 2012 R2. There are many guides that follow each of these processes for the server side process as well as on the Cisco 9800 controllers, but I found it difficult to find each of them in the same spot for this specific process. This is a very common task that I complete during my Cisco deployments.

This process was completed using my home lab. My hardware is as follows:

• Dell Poweredge T610 running ESXi 6.7
  • Windows Server 2012R2
    • Domain Services
    • Certificate Authority
    • NPS/RADIUS
  • Windows 10 Pro with Orinoco 802.11ac USB Adapter
  • Cisco 9800-CL Virtual Wireless Controller
• Cisco 1852i Wireless Access Point with console access from my Windows 10 VM

The process is as follows:

1. Configure your SSID for WPA2-Enterprise
2. Configure the Certificate Authority (CA) role
3. Configure the Network Policy Server (NPS) role
4. Configure Group Policy Objects
   1. Trigger client to request certificate
   2. Deploy Wireless Network Profile
   3. Update permissions and link GPOs
5. Validate and Connect!

Step 1 – Configure your SSID for WPA2-Enterprise Authentication

In this example I configure my Cisco 9800-CL WLC by selecting Configuration > WLANs > Select the applicable SSID > Select Security then Layer2 > and ensure 802.1x is checked.

If configuring a 9800, also be sure that your Policy Tag includes the SSID you wish the broadcast.

Step 2 – Configure the Certificate Authority Role

When installing the Active Directory Certificate Services role, the default settings will meet our requirements for this process.

Certificate Services is automatically integrated with Active Directory when the CA is part of the domain. This means that the domain-joined computers will automatically add the CA to their list of “Trusted Root Certification Authorities”. This can be verified on the workstation using the certificate utility. EAP-TLS requires client and server certificates. Each client must have a certificate that is issued by a CA that is in the RADIUS servers list of trusted root CAs. In this example, the CA is installed on the same server as NPS. If not, you must issue a certificate to the RADIUS server that it will use to present to the client. This can be completed manually or via group policy using the same method we use below to have the workstation request a certificate.

Step 3 – Configure the Network Policy Server Role

To configure NPS, launch the management console from Server Manager. First, we need to add a RADIUS client. Depending on your environment, you may need to add the Wireless Controller or each AP. Since my authentication requests will be coming from a Cisco 9800 WLC, I’ve added the controller by IP address along with the shared secret that is configured.

Create Connection Request Policy

Below is the process of creating a Connection Request Policy using the 802.11 NAS Port Type and specifying the EAP type to use a certificate:

1. To create a Connection Request Policy, right click on the appropriate folder and select “New”.
2. Give your policy a name and select “Next”:
3. In the “Specify Conditions” window click “Add” to add a condition. Scroll to the bottom, click “NAS Port Type” and click “Add”. In the window, select “Wireless – IEEE 802.11”:
4. Leave the “Authenticate requests on this server” radio button selected and click “Next”. In the next section we will configure the EAP type. Check the “Override network policy authentication settings” checkbox then add “Smart Card or other certificate” to the list of EAP types. Be sure to uncheck any check-boxes in the “Less secure authentication methods” section. Complete the remainder of the wizard with default settings.

Following a similar process, we will now create a Network Policy.

Create Network Policy

The network policy also specifies the NAS Port Type and EAP method. This is where we can return RADIUS attributes, apply constrains such as time of day, and specify the group(s) for authentication. Remember that the client/server certificates are used to encrypt the exchange of authentication information; the client must still authenticate via it’s user or computer account.

Below is the process of creating a Network Policy using the 802.11 NAS Port Type, using “Domain Computers” group for authentication, and specifying the EAP type to use a certificate:

1. To create a Network Policy, right click on the appropriate folder and select “New”.
2. Give your policy a name and select “Next”
3. In specify conditions, add NAS Port Type and select “Wireless – IEEE 802.11” and Machine Groups then search for the “Domain Computers” group. Click “Next”.
4. In the permissions window, leave the “Access granted” radio button selected. Click “Next”.
5. Click “Add” and select “Microsoft: Smart Card or other certificate” under EAP Types. Deselect all in the “Less secure authentication methods” section. Click “Next”.
6. Under constraints, click “NAS Port Type” and check “Wireless – IEEE 802.11“. Click “Next”.
7. Leave the default RADIUS attributes. Click “Next”.
8. Complete the wizard by clicking “Finish”.

NPS is now configured and ready to accept authentication requests from your wireless clients!

Step 4 – Configure Group Policy Objects

The next two steps include the configuration of Group Policy Objects (GPOs) to make your workstations to complete the certificate auto-enrollment process and deploy a wireless network profile so the workstation joins the network automatically.

Configure a Certificate Enrollment Policy

Open the GP Management console and create a new GPO.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, right-click “Automatic Certificate Request” then “New” and “Automatic Certificate Request”.

Click “Next” at the wizard welcome page. Select the “Computer” certificate template then “Next” and “Finish”.

Configure a Wireless Network Profile Policy

The next step is to deploy a wireless profile to your computers so that they connect automatically, present the appropriate credentials, and follow other specified settings.

Open the GP Management console and create a new GPO.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings and click “Wireless Network (IEEE 802.11) Policies” then “Create A New Wireless Network Policy for Windows Vista and Later Releases” in the right pane.

Click “Add” and “Infrastructure” then enter your SSID and security information in the Wireless Profile Properties window. I am using computer authentication so I chose that option under “Authentication Mode:” in the Security settings menu.

Update permissions and link GPOs

Update the permissions on each GPO so that the “Domain Computers” group has Read access.

Link both of these new GPOs to the organizational units where your workstations are located. My OU structure is based on location; the computer accounts are placed under a different OU based on where they are physically located. This pairs nicely with AP Groups on the Cisco AireOS and Tags on the Cisco IOS-XE based Controllers.

Step 5 – Validate and Connect!

It is now time to test your client. We need to verify that the following:

• Client has enrolled and obtained a certificate
• Client has received the Wireless Network Profile
• Client can connect to the SSID

If you haven’t already, restart the workstation and/or issue “gpupdate /force” via an elevated command prompt so that it receives the two GPOs. You can use the GPResult tool available in the Group Policy Mangement Console or run “gpresult /h C:\gpresult.html” from command prompt to create a report that shows the policies that the station has received and the status of the settings.

After the workstation has received the policy, you can use the command “netsh wlan show profiles” to view the list of profiles and “netsh wlan show profile “(Profile Name)” to view the settings of the profile. If you deploy a profile and need to make a change to it, you can view the details here to verify that the changes have been made and synced successfully.

To verify that your workstation enrolled and obtained a certificate, open the Certificate Authority management console on your CA and verify there is an issued certificate using the “Computer (Machine)” template.

Now it’s time to test the connection! It should automatically connect. If not, you should attempt to connect, note the time, and start troubleshooting.

An issue that I ran into with my 9800 configuration that kept my workstation from connecting was the VLAN attribute returned by the RADIUS server. Quick searches pointed toward bugs in the earlier versions of the software. I resolved this issue by updating the VLAN value in my policy to “default” rather than “VLAN0001”.

When my workstation successfully connected, I reviewed the client information within the WLC to verify the EAP type was EAP-TLS.

Success!

I hope this post have been very informative and easy to follow. I have a Microsoft background but still love a good picture book to help guide myself through these processes. Feel free to leave some feedback or contact me directly via email or twitter with any questions!