Dienstag, 30. Juli 2013

Certificate based Wifi access and RADIUS Server (Microsoft Server 2008 R2) and local CA

We have had trouble while authenticate iOS based devices via Client certificates (802.1X) in a Wifi setup with Wireless LAN Controller (from various vendors). These certificates are issued by an external SA/CA (in our case MobileIron local CA w/o external trust). We tried to configure a Network Policy (Network Policy and Access Services) for Smartcard/Certificate based authentication on a NPS/RADIUS Win2k8R2 EE server.

When the client tried to establish a connection the following error occured.

Authentication Type: EAP
EAP Type: -
Account Session Identifier: ...
Logging Results: Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Thanks to Microsoft Support we got this issue solved. Solution in our case is:
  1. Importing third-party certification authority certificate in the NTAuth store on the NPS server.
    How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store (KB295663)
    certutil -enterprise -addstore NTAuth CA_CertFilename.cer
  2. Adding third-party certification authority to the Trusted Root Certification Authorities (local Machine)
  3. Changing device to user certificate and adding AD account name as Subject Alternative Name (SAN).
    Certificate Requirements for PEAP and EAP.