Sunday, 1 January 2017

Network Policy Server SSL Cert Update

The SSL cert is used for validating the identity of the server. We can use the local CA cert also, but before using that we need to make sure that the Root Cert is installed on every device on which NPS server is being used to connect to Wireless Network.


We can install 2 types of SSL cert
  1. WildCard SSL Cert (*.domain.com)
  2. Single Name Cert (radius.domain.com)
Wildcard certificate can be used to Validate the Identity of the Server, but there is one limitation. Wildcard certificate will not work with Windows 7, Vista, XP and other Legacy Operating Systems. It will work fine with Windows 8, 8.1, 10 and mobile OS like IOS, Android. This happens because the legacy OS will not trust CA's that do not exist in their NTAuth store and those machines will not allow a connection to a SSID that it cannot validate. Ultimately, if you do not control the computer, you cannot affect a change to the NTAuth store on those machines.
So its better to use the cert with Single Name Wildcard Certificate because it supported by all the OS.


So first generate a CSR from your RADIUS Server. Steps to do that you can find below:

























Fill the properties mentioned of the certificate






















Once you click on Finish the sert file will be generated.
Upload your cert file to your Certification provider and then wait for the certificate.




Once the CSR is generated Upload the CSR to the SSL Certficate Provider website and download the certificate.


Install the certificate on the NPS (RADIUS) server.
Open the Network Policy Server Administrative Center.
Goto Policies -> Network Policies -> Wireless Connections





Double Click on it





Select Microsoft PEAP and click Edit.



Select the Certificate you installed.
Click on OK and then STOP and START the NPS Service.

















Note: remember that certificate will be installed with private key on the same server from which the CSR has been generated. If you have more than one server on which you need to insall the cert, then first install the cert on the server from which you generated the CSR, then export it in the form of .pfx with private key (make sure private key is exportable). Then install it on other servers.

1 comment:

  1. I am grateful for this blog to distribute knowledge about this significant topic. Here I found different segments and now I am going to use these new instructions with new enthusiasm.HPE LTO Ultrium 6250 Tape Drive

    ReplyDelete