The ability of a RADIUS Server to authenticate and authorize network users depends heavily on the effectiveness of its security system and authentication method. Using passwords invites a host of user experience shortcomings and security vulnerabilities that put your secure data at risk.
By combining SecureW2’s EAP-TLS certificate solutions with Microsoft NPS, your 802.1x network is protected from all manner of data theft attacks. SecureW2’s onboarding software auto-configures a user’s device in minutes through a few simple sets. Once configured, the certificate is tied to the user’s identity and device for the life of the certificate.
The many weaknesses of passwords are bypassed with certificate-based authentication. The need for password change policies that disrupt network connection are eliminated. From a user experience standpoint, the process can be described as set-and-forget; they complete the onboarding software once and have uninterrupted network connection.
For administration, the simplicity of certificates results in fewer support tickets and connection errors. Certificate-based authentication can also be configured to support managed devices alongside BYOD. Employing a SCEP Gateway allows for auto-configuration of managed devices with no end user interaction.
Combining secure Microsoft NPS RADIUS with certificate solutions creates a network environment that is strongly protected and a straightforward experience for users.
Integration Process Overview
- Configure the WPA2-Enterprise network to authenticate using 802.1x certificates
- Connect the Microsoft NPS RADIUS to the secure network
- The RADIUS will authenticate and authorize users for network access by confirming their identity within the identity provider.
- Connect the PKI and download and install the Certificate Authorities (CA)
- Connect the Root and Intermediate CA’s to the RADIUS and secure network. As users enroll for network access, they will be distributed certificates from the connected CA.
To complete this setup, you will need to have configured:
- A SecureW2 Network Profile
- A Microsoft NPS RADIUS Server
- An Identity Provider
Configure the Secure Network for 802.1x Certificates
- Go to Windows > Run > MMC
- In the Console, navigate to File > Add/Remove Snap-in
- In the Add/Remove Snap-in window, select Network Policy Server from the Available snap-ins, and click Add
- In the Select Computer window, select Local Computer, and click OK
- In the Add/Remove Snap-in window, click OK
- In the Console, navigate to NPS (Local) > Policies > Network Policies
- In the Actions pane on the right, click New under Network Policies and the New Network Policy wizard will appear
- In the Specify Network Policy Name and Connection Type page, enter the Policy Name and click Next
- In the Specify Conditions page, click Add and the Select condition page appears
- Select NAS Port Type, and click Add, and the NAS Port Type window appears
- From the Common 802.1X connection tunnel types section, select Wireless – IEEE 802.1, and click OK
- The condition gets added to the Specify Conditions page
- Click Next and the Configure Authentication Methods window appears
- Under EAP Types, click Add and the Add EAP window appears
- Select Microsoft Smart Card or other certificate, and click OK
- De-select all the other check boxes under Less secure authentication methods and click Next
- In the Configure Constraints window, click Next
- In the Configure Settings window, click Next
- In the Completing New Network Policy window, click Finish
Connecting the Microsoft NPS RADIUS Client
- Go to Windows > Run > MMC
- In the Console, navigate to NPS (Local) > RADIUS Clients and Servers > RADIUS Clients
- In the Actions pane on the right, click New RADIUS Clients and the New RADIUS Client window appears
- Enter a Name and the IP address in the Friendly name and Address (IP or DNS) fields, respectively
- Enter the shared secret in the Shared secret and Confirm shared secret fields, and click OK
Downloading the Root and Intermediate CA from SecureW2
- Go to the SecureW2 JoinNow MultiOS and Connector Management Portal
- Navigate to PKI Management > Certificate Authorities
- Download both the Root and Intermediate CAs for the organization
Installing the Root and Intermediate Certificates
- Go to your server where you want to install your the certificates
- Go to Windows > Run > CMD and go to the folder where you have saved your certificates
- To install the certificates, run the following command consecutively for both the certificates:
C:\Certificates Folder> certutil -dspublish -f <certificate name>
Secure Your WPA2-Enterprise NPS Network with EAP-TLS
By leveraging the infrastructure already in place with a WPA2-Enterprise network, a more secure 802.1x wireless connection can be easily achieved through our SecureW2 integration solution.For network administrators, the ability to remotely diagnose and address connection issues, as well as tie every user and device to a network connection, will greatly reduce the number of wireless connection support tickets.
We have affordable options for organizations of all sizes. Click here to see our pricing.
Microsoft NPS is either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.