Third Party Wildcard Certificates for use with Microsoft NPS / RADIUS / PEAP

windows-server-2008-r2 tls radius nps peap
15,104

I was unable to get a straight answer out of Microsoft, but all signs pointed to the certificate. I ended up purchasing a single domain SSL 2048-bit certificate that does Client and Server Authentication and installed it on the NPS server. Things returned to normal at this point.

Microsoft's implementation of PEAP/RADIUS/NPS apparently just doesn't play nice with Wildcard certificates, even though they don't list this constraint anywhere.

Edit:

After speaking with someone on the Microsoft PKI team, I was told that since our wildcard duplicates have a Subject Name of *.OurSchool.edu and not of the server, that the Windows clients will reject it when negotiating PEAP. The server is explicitly listed by FQDN in the Subject Alternative Name field of the certificate, but apparently that makes no difference.

The support engineer did confirm that there are issues with many wildcard certificates because of this. If you use a third party CA that will allow you to get duplicates of your wildcard with the Subject Name field of your NPS server and move the wildcard to the SAN, then it should work fine. We did not test this theory, so take it with a grain of salt.

Share:
15,104

Related videos on Youtube

MDMarra
Author by

MDMarra

Updated on September 18, 2022

Comments

  • MDMarra
    MDMarra almost 2 years

    I want to replace the SSL certificate that is used for PEAP on our NPS server that is doing RADIUS authentication for our Cisco WLCs. The current certificate is a SSL certificate that does Client Authentication and Server Authentication. We want to replace it with a wildcard that we use elsewhere in our domain to streamline management of our SSL certificates.

    I read the Microsoft document here that outlines the requirements for using a 3rd party certificate with PEAP. The wildcard that we are using meets all of them. Microsoft support has been unable to resolve this issue for two business days now and their only response is: "it must be a problem with the certificate," but they cannot tell me specifically what about it is wrong, since it meets all of those requirements.

    While my case is being escalated, I did some research and other people have had issues using 3rd party certificates with PEAP on an IAS/NPS server doing RADIUS. There has been no official response from Microsoft, as far as I can tell. Does anyone know for sure if a wildcard certificate can be used for PEAP?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Problem with network policy rule in Network Policy Server
NPS Policy doesn't to respect the "Control access through NPS Policy" user attribute
How to save event logs "Network Policy and Access Services" on NPS server
How do I configure NPS to allow connections from domain-joined computers only?
Authenticate Cisco ASA to Windows 2008 domain
NPS EAP authentication failing after Windows Update
802.1x auth without certificate on clients
Do I have to enable TLS 1.0 in windows 2008 R2?
Is it possible to configure ARR to make TLS 1.2 outgoing connections in Server 2008 R2?
802.1x PEAP GPO that trusts self-signed CA certificate