Securing RADIUS with EAP-TLS [Windows Server 2019]

Показать описание

Securing RADIUS with EAP-TLS [Windows Server 2019]
I (tobor), cover how to set up RADIUS using EAP-TLS machine authentication on Windows Server 2019. (WPA2-Enterprise). If you like what you see please Subscribe!

FORGOT TO MENTION:
Default selected certificate should work. However you may need to set it manually. This can be done by going to "Tools" - "Network Policy Server" - "Policies" - "Network Policies". I called my Network Policy "EAP-TLS". Double click your policy to open it. In the "Constraints Tab" select "Authentication Methods". Under "EAP Types" select "Microsoft: Smart Card or other certificate" and click "EDIT". Select the certificate matching the "Expiration Date" value of your RADIUS Server certificate to ensure you RADIUS Server can successfully authenticate to the clients. Sorry I missed saying that.

FORCE DC REPLICATION TO ACCESS CERT TEMPLATES FASTER :

ENABLE NPS LOGGING COMMAND:
auditpol /set /subcategory:”Network Policy Server” /success:enable /failure:enable

0:00 Intro Summary
1:14 Create Certificate Template for Client and Server Authentication
2:31 Define Cert Template Property Values
4:57 Import Certificate Template to Issue
5:29 Force AD Replication
6:31 Install Network Policy Service (NPS) Role on a Domain Controller (Best Practice)
7:11 Register NPS Server in AD to add it to RAS and IAS Group
8:08 Configure RADIUS Clients
11:25 Create Shared Secret Template
12:33 Configure RADIUS Server Group
17:55 Configure Connection Request Policy
21:26 Configure Network Policies
23:38 RADIUS Standard Attribute Values
26:33 Policy Processing Order
27:06 Configure Accounting
28:17 Configure Group Policy for Certificates
31:52 Configure Group Policy Wireless Profile
37:22 Older Windows OS Possible Issues
38:35 Network Policy Server Service Name
39:02 Thanks for watching!

View my Verified Certifications!

Follow us on GitHub!

Official Site

Give Respect on HackTheBox!

Like us on Facebook!

View PS Gallery Modules!

The B.T.P.S. Security Package

Рекомендации по теме

Комментарии

Haven't watched the video yet but, would something like exclusively EAP-TLS auth work in combo with Cisco ISE and InTune for mobile devices, e.g. iPhones/iPads? Looking for a way to implement that as it seems like a cleaner way to auth and less likely to cause those pesky lockouts when people forget to change their password on the radius side of things.

tacom

These kind of videos are a god send for all of us 'jack of all trades, master of none' IT workers. Superb level of detail and information. Brilliant. Many thanks.

barflysyc

Wow! I was looking / searching for tons of how-to, manuals etc...but only this nice tutorial made it easy and quick to get this going! :) Thanks!

mynameisjesus

I did not have the best foundation to follow this video but the time taken to tear into this has been invaluable. Thank you for the time taken to set this up. Without going into detail this is incredibly helpful for a situation in my professional life. Thank you again for the resource to build understanding on top of.

Smaxey

Thank you for actually knowing what you are talking about, creating timestamps and going over HA and load balancing.

bdon

This was really helpful and thorough. The best beginning-to-end explanation I've found.

DaneWallace

I'm not sure if this will help anyone or not, but standing this up and trying to troubleshoot where the communication was breaking. Wireshark, event viewer on both ends, looking into C:\Windows\System32\LogFiles for successful or failed authentications. I hadn't configured the server to log successful/failed login attempts. Once I had made the correct change on my switch, I wanted to verify the NPS was authenticating correctly. mmc.exe>group policy object editor>local computer>local computer policy>computer configuration>windows settings>security settings>advanced audit policy configuration>System audit policies - Local group policy object>Logon/Logoff>Audit network policy server. Enable this for success and failure if you're still testing everything.

McFunctional

Thank you for this great tutorial.
Have tried several hours unsuccessfully the implementation and
with your help solved the problem in 20min. 👍

busterg

Rob, thank you so much for sharing this content. Configuring radius auth for Sophos AP's was a breeze thanks to you.

Townaset

Thank you so much, I can't believe someone who took the video in much detail, especially it's a rare topic.

gds

Excellent content, no messing about straight to the point with plenty of useful information. I am currently configuring RAS/NPS for VPN authentication and this really helps to understand the process.

markfogel

Really helpful video. I'm a bit new to CAs, do you have a video detailing the installation and best practices for installation/configuration?

ansonsage

Great content my friend. I have a question - according to a lot of Microsoft documentation, the EAP-TLS protocol has a requirement that the issuing CA certificate of your client certificates is stored in the NTAuth certificate store in order for authentication to work with this protocol. My understanding is that NTAuth certificate store is replicated from the Configuration partition of your AD forest, however I'm unsure if populating that object with issuing certificates is a manual process, or if it should be automatic when a CA is built. Do you happen to have any experience in dealing with that?

barbadosslimful

Great walkthrough. Helped me walk through an issue with my Secure WiFi. Good stuff.

IntelliRick

@OsborneProLLC Thanks again for a really great and useful video. We have it configured in the way you explained and it works perfectly for Windows machines. Is it possible to also get Macs working under the same RADIUS/NPS? I know that Macs can't receive group policy so part of this will need to be done manually, but do you know the procedure for the Mac to be able to request / receive the certificate and once installed, will the wifi just work if they click on the SSID of the network?

jimmyweston

That is simply the best video i've watched on this topic..
Thank you for detailing as much every configuration options and for talking about HA :)

MrGuitarSmoker

Hi Rob. Fantastic video! Thank you for taking the time to make it. It really helped me while setting up EAP-TLS. I have a question that im struggling to find the answer for: Is it possible to set up EAP-TLS for User and Computer authentication? I.e. at the login screen, the computer authenticates to the network using its computer certificate, then when a user signs in it reauthenticates against the User certificate? Ideally I'd like user authentication as well for better auditing, especially on shared computers, but using User only authentication is a chicken and egg situation as they can't authenticate on to the network to get their group policy and cert via autoenrollment. I've deployed a User cert as well as Computer cert and set wireless Group Policy to use User or Computer authentication. Computer authentication on the login screen works fine, but as soon as the user profile loads, network connectivity is lost.

GrindhouseJames

Do you not have to reference the RAS IAS cert in the network policy? I noticed you added smart card or other certificate as the EAP type but never edited it to choose the cert.

jasondabassman

Question. The step where you create the RADIUS template in the CA template manager. What is the purpose of distributing that machine certificate to all machines in the environment? I don't see any further mention of it in the video and wonder what purpose it serves? I suppose if you point to the cert anywhere in the NPS network policy creation or in the group policy setup and certs in the chain (the machine RADIUS cert) are subsequently accepted as well? Thanks!

jamiemacnd

Great video! Very detailed and simple to follow. I have successfully set this up and is working with our domain joined devices - thank you!
However, what could I do to implement this onto non domain joined devices such as iPads. In my org we have 3 groups of iPads all requiring different vlans for internet filtering. I would like to use EAP-TLS so no end user authentication is required.

Tom-ehlt

Securing RADIUS with EAP-TLS [Windows Server 2019]

Securing RADIUS with EAP-TLS [Windows Server 2019]

Securing RADIUS with EAP-TLS (Wired WPA2- Enterprise) [Windows Server 2019]

Configuring RADIUS authentication using EAP-TLS in Windows NPS: Part 4

25 802 1x and EAP Concepts

WiFi Authentication by Certificate

EAP-TLS Authentication with FortiAuthenticator | Identity and Access Management

How to setup RADIUS Server (NPS) Authentication with WPA2 Enterprise for WiFi

GPO and CA server deployment for User and Machine Certificate and 802.1X Wireless for EAP TLS

How EAP-TLS Wi-Fi Certificate Authentication Works

Configure PEAP EAP-TLS 802.1x

EAP and EAP TLS | How does EAP work authentication | Let's know Protecting and Component By Raj...

How to connect a Brother device to an 802 1x EAP-TLS enterprise network

Port Security vs Port Based Authentication (802.1x) Whats the Difference?

How to configure NPS using windows server 2022? RADIUS server windows 2022

Wireless Radius Authentication with Windows Server 2016

Ultimate S-Tier Wifi Security with EAP-TLS Certificates (feat. Smallstep)

802.1X EAP Explained with Wireshark

Configuring RADIUS authentication using PEAP in Windows NPS: Part 4

802.1X | Authenticating Hosts | DrayTek, Cisco and Ruckus

Unleashed: Setting Up 802.1x EAP with Dynamic VLAN with Windows NPS Server

Aruba Clearpass - Set up dot1x with Windows and Cisco using EAP-TLS - Windows supplicant setup

PEAP (EAP-TLS) Using ISE || Part 1 Setting up the Certificate Authority

Nettemp - RADIUS Server EAP TLS method for WiFi and revoke certs

Part 2: Radius Server for WiFi Authentication with Windows Server 2016 | Computer Based Auth