Windows 10: Single Certificate for multiple client devices for an EAP-TLS system

Hello,


I am designing a system to include multiple laptops connected to a Server via an EAP-TLS capable Access Point.

So I want to configure the system for EAP-TLS WAP security.

There are a couple of use cases in the requirements where having unique certificates in the laptops is very inconvenient and problematic.

Can someone please tell me if it's at all possible to put a single certificate on all of the client machines? I understand that this is a little less secure but happy to live with it.


The client devices will have Windows 10 and the Server Windows Server 2016.


Hope someone can help.

Thank you

Pradeep

:)

 

WPA2 Enterprise EAP-TLS machine/device certificate authentication problem with Windows 10 client

Hi,

I am trying to use pfSense to support EAP-TLS with WPA2-Enterprise (machine/device authentication, not user authentication) for wireless clients using FreeRADIUS and pfsense CA on my existing working pfSense server. I believe I have implemented the configuration
correctly using a range of documentation and guides, but my initial testing with a standalone Windows 10 client is not going well. I'd really appreciate any advice on where I am going wrong which I think is most likely certificate related. I have summarised
below the steps I have followed, important bits of configuration and importantly windows event log error entry:

Main components:

pfSense (2.4.3)

Freeradius 3 package

pfSense Certificate Authority

Cisco enterprise access point

Windows 10 Professional client (standalone not domain)

Configuration Process:

1. Existing pfSense router - Added FreeRadius3 package

2. Created a new pfSense CA

- 2048bit

- sha256

- common name: internalRootCA

3. Created a new certificate for freeradius

- 2048bit

- sha256e

- common name: radius.domain.local

(I went with this naming convention to support a future move to an internal domain - was this an incorrect decision ? I've replaced the real domain name with domain.local for the purpose of this internet post)

4. Created a new certificate for the Windows 10 Professional Client

- 2048bit

- sha256

- common name: client001

5. Freeradius configuration:

- NAS/Clients

- Added a entry for the Cisco Enterprise Wireless Access point

- Shared secret etc

- Most settings left default

- Interface

- Created a new interface for the Cisco Enterprise Wireless Access point to use

- Most settings left default (Type - Authentication, Port 1812 etc)

- Settings

- Left default

- EAP

- Disable weak EAP types - Yes

- Default EAP type - TLS

- Ignore Unknown EAP Types - Yes

- Certificates for TPS:

- SSL CA Cert - internalRootCA selected

- SSL Revocation List - internalRootCA Revocation List selected

- SSL Server Certificate - radius.domain.local certificate selected

- EAP-TLS

- Left default

- All other settings default

- Users

- None/Blank

6. Configured Cisco Enterprise wireless access point to use the freeradius server with shared secret and created a SSID with WPA2 Enterprise.

7. Exported the CA root certificate and imported into 'Trusted Root CA store' on the Windows 10 Client.

- I also created a certificate from this CA for the pfSense web interface using this root CA and tested that the Windows 10 client is successfully trusting the root CA certificate i.e. no certificate trust errors in the web browser when accessing the web interface.

8. Exported the Windows 10 Desktop Client and imported into the 'Certificates - Local Computer - Personal Store'

I have checked the Microsoft 'Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS' document and believe the configuration and details in the certificates meet these requirements. The only requirement I was unsure of was:

- 'The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user'.

- I want to do device/machine based EAP-TLS authentication therefore with no 'user' involvement. I believe Apple IOS devices may do this slightly differently and supply certificates in a user context which may require further configuration, but for now I'm
focussing on Windows 10 device/machine authentication.

(https://support.microsoft.com/en-gb...nts-when-you-use-eap-tls-or-peap-with-eap-tls)

9. Windows 10 Wireless network configuration

- Created a manual wireless network profile

- New SSID

- WPA2 Enterprise

- Authentication Type - Smart Card or other certificate

- Use a certificate on this computer - Use simple certificate selection

- Validate the server's identity by validating the certificate with the 'pfSense internalRootCA' certificate selected

- Advanced Settings - 802.1x settings

- Specify authentication mode - Computer Authentication Only

Testing results:

- When the Windows 10 client attempts to connect there are no errors/entries in the pfSense Freeradius logs - there are no entries to show any attempted authentication request. The Cisco Wireless Access point shows the initial wireless client association but
shortly afterwards a disassociation. Finally the Windows 10 event log has the error below - my current assumption is that Windows is either expecting a different client certificate to use to authenticate, not happy with the client certificate I have created
or for some reason it is ignoring the client configuration to do 'Computer Authentication only' and not finding a certificate in the 'user' store.

Windows 10 Professional Event Log - WLAN-Autoconfig Failure entry when attempting to connect to the wireless network.

<Log START>

Wireless 802.1x authentication failed.

Network Adapter: Network Controller

Interface GUID: {xxxxxx}

Local MAC Address: xx:xx:xx:xx:xx:xx

Network SSID: [NEW WPA2 Entperise SSID]

BSS Type: Infrastructure

Peer MAC Address: xx:xx:xx:xx:xx:xx

Identity: host/client001

User:

Domain:

Reason: Explicit Eap failure received

Error: 0x40420110

EAP Reason: 0x40420110

EAP Root cause String: Network authentication failed due to a problem with the user account

EAP Error: 0x40420110

<Log END>

I hope all the above information is useful and really appreciate any advice on what is going wrong.

Thanks,

Stuart.

 

How to install EAP-TLS certificate?

Hi all... again!



I managed to import the certificate to the phone.



But it puts the certificate in the "Trusted Site Certificates"... I need to put it in the "Personal Certificates" so I can use it for the WLAN EAP-TLS configuration...



Any suggestions?

 

Configuring EAP-TLS on Windows client (Wired)

Hello,

I am attempting to configure Windows clients to authenticate as the machine with a computer certificate. The Mac clients authenticate just fine but Windows clients just time out. I have been up and down the config of our switches and the NPS server and still
can't seem to find a solution. I see 'Onex Auth Timeout' in the Wired AutoConfig log on the client and on the NPS server I see it is hitting the server in the log in C:\Windows\System32\LogFiles but not in the Event Viewer. I have no idea what I am doing wrong.
EAP-MSCHAP-V2 works fine but I want to use EAP-TLS.

Thanks!