non-domain computer certificate authentication in NPS

Hi all!

I need to secure my wifi network, and was tasked with wpa2-eap aes security level.

I'm using NPS on w2008 and everything is fine with domain members, computer authenticates with computer certificate  before user logon and it's accessible through wifi, after logon user reauthenticates by user's certificate.

On non-domain computer it's ok with user certificate, BUT it can't authenticate by computer certificate.

Event logged in security audit:

"Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:

Security ID: MYDOMAIN\WIFIPC1$
Account Name: wifipc1$
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\wifipc1$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 54-E6-FC-DD-07-81:nur_eap
Calling Station Identifier: 00-1C-BF-A0-1C-98
NAS:
NAS IPv4 Address: 172.27.143.253
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: ap2
Client IP Address: 172.27.143.253
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: nps01.mydomain.com
Authentication Type: PEAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect."

I have following configuration:

1) on connection request policy

conditions - wireless-other or wireless-ieee 802.11

setting - attribute cutting realm "host/" and replacing ".mydomain.com" with $. Otherwise non-domain members (computers without cutting realm and replacing suffix with $ and users without cutting realm) get error - "The specified user account does not exist.".

2) on network policies

overview - by default, grant access, ignore dial-in properties.

conditions  - wireless-other or wireless-ieee 802.11

constraints - athentication method PEAP only with eap-type - Smart Card or other certificate. That's only allowed method for me, as one of the most secured, please don't offer me other methods.

I use enterprise CA on w2003 with AD 2008 level and enroll manually certificates for non-domain computers using cloned computer or workstation templates where I can provide names in request, also i've created computer account with similar name which provided in certificate with additional domain suffix. Clients are configured to use computer or user authentication, computer only was tried also. Also i've tried to use certificate mapping on computer account without succes. 




February 20th, 2012 7:42am

Hi,

I am not sure I understand what you are trying to do. A domain member computer has a computer account in Active Directory. A non-domain-joined computer doesn't have this. When you perform computer authentication, the computer account is checked in Active Directory. It is expected that a non-domain-joined computer will fail to authenticate because the account doesn't exist.

-Greg

Free Windows Admin Tool Kit Click here and download it now
February 20th, 2012 11:17am

Hi Greg!

If you read my post carefully, you might have noticed:

 "i've created computer account with similar name which provided in certificate with additional domain suffix"

I'm trying to register in wpa2-eap wifi network non-domain computer by computer certificate which issued by enterprise CA in windows 2008 AD.

Problem is in mapping of credentials, computer certificate and computer ad object (account).

Anyway thanks for attention )


February 20th, 2012 11:39am

Hi,

I am not an expert on this, but I think that if you artificially create a computer account in AD, it does not create the correct security identifier (SID).

For example, if I create two computers that both have the same name, join one of them to the domain, then turn it off and join the other to the domain - the first one will no longer be able to log in because the SID is incorrect. Have you read somewhere that you could do it this way?

-Greg

Free Windows Admin Tool Kit Click here and download it now
February 20th, 2012 11:50am

Well the question is in the way of correct computer account creation and certificate enrollment for that case.

Anyway I have successfull user certificate authentication, which is configured in the same maner.

Every step-by-step i've found in internet just tells to create a computer account and manually request certificate... and thats all, obviously 

February 20th, 2012 11:59am

Hi,

I've checked with an 802.1X expert here (Clay) and it is possible to do this. There are two ways -

First method:

  1. Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
  2. Export the cert with the private key.
  3. Import on all workstations that require it.

Second method:

  1. Create an account in AD.
  2. Issue a certificate from a template that allows the private key to be exported.
  3. Using name mappings attach the certificate to the account.
  4. Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com.
  5. Install certificate on target workstation.

The first method is relatively easy but it uses a single certificate on multiple devices and the certificate doesn't correspond to the name of the computer.

The second method is more secure, but more difficult to implement for multiple computers.

I hope this helps,

-Greg

Free Windows Admin Tool Kit Click here and download it now
February 20th, 2012 9:27pm

Hi, thanks for help! Clay was right.

I used second method, and registered SPN with "setspn -r pcname", and successfully registered computer by machine certificate. That's great! Problem is solved!

February 21st, 2012 11:56am

hi,

i have exactly the same "problem"...

the answer from greg was very usefull for me but i could get that working.

i have created an computer-account in AD similar to the name of my test-laptop (CERTTEST, no domain)

i have exported the computer certificate of the laptop as type DES (also tested with BASE64) and mapped this to the computer account.

i have registered the SPN with the command "setspn -r certtest" the output and adsiedit told me that "HOST/CERTTEST" and "HOST/CERTTEST.NETZ502.LVNBW" is mapped to the computer-account (NETZ502.LVNBW is my domain)

in the eventlog i could not see any entry.... i only could look in the traces (activated with the command "netsh ras set tra * en")

on the laptop i get an "schannel" error with the ID 36870, errorcode 0x8009030d, error state 10003

what could be the problem?

best regards,

bernd

Free Windows Admin Tool Kit Click here and download it now
August 13th, 2012 4:27pm

Hi,

I've read your post with great interrest, but still have one question:

How can you use NPS to authenticate the clients using certificates when you have lots of non-AD-Clients, like VoIP Telefons and so on. Normally you dont want to add these numberous of  (100+) hosts to the AD.

With other RADIUS Servers you could utilize the Subject name and OU's on the certificate to provide segmentation/different network access without having to register a "dummy host" for each client in the ad?

Are there any way you could utulize "pre-installed" OEM certificate on devices to authenticate, without having to add the "dummy"-hosts to ad and map the certificate to the AD account?

Best Regards

Jarle

September 24th, 2012 12:51pm

Hi Guys,

We have two-tier CA in our organization.
I installed NAP service and added Cisco router as RADIUS client.

How to setup that domain machines and non-domain machines (including smart phones) can connect to wireless network only if they have computer certificate?

I dont know how to setup things so that non-domain machines can connect to network, how to create certificate for this machines?
What type of certificate we need to use and how to do request on CA for non-domain machines...

Please can you help?... maybe you have some step by step material?

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2013 4:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics