Windows 7 / Networking

PKI

To perform authentication for wireless connections using PEAP-TLS or EAP-TLS, a PKI must be in place to issue computer or user certificates to wireless clients and computer certificates to RADIUS servers. For PEAP-MS-CHAP v2-based authentication, a PKI is not required. It is possible to purchase certificates from a third-party CA to install on your NPS servers. You might also need to distribute the root CA certificate of third-party computer certificates to your wireless client computers.

PKI for Smart Cards

The use of smart cards for user authentication is the strongest form of user authentication in Windows. For wireless connections, you can use smart cards with the EAP-TLS or PEAPTLS authentication method. The individual smart cards are distributed to users who have a computer with a smart card reader. To log on to the computer, you must insert the smart card into the smart card reader and type the smart card personal identification number (PIN). When the user attempts to make a wireless connection, the smart card certificate is sent during the connection negotiation process.

PKI for User Certificates

User certificates that are stored in the Windows registry for user authentication can be used in place of smart cards. However, it is not as strong a form of authentication. With smart cards, the user certificate issued during the authentication process is made available only when the user possesses the smart card and has knowledge of the PIN to log on to their computer. With user certificates, the user certificate issued during the authentication process is made available when the user logs on to the computer using a domain-based user name and password. Just as with smart cards, authentication using user certificates for wireless connections use the EAP-TLS or PEAP-TLS authentication methods.

To deploy user certificates in your organization, first deploy a PKI. You'll then need to install a user certificate for each user. The easiest way to accomplish this is if Windows Certificate Services is installed as an enterprise CA. Then configure group policy settings for user certificate autoenrollment.

When the wireless client attempts user-level authentication for a wireless connection, the wireless client computer sends the user certificate during the authentication process.

PKI for Computer Certificates

Computer certificates are stored in the Windows registry for computer-level authentication for wireless access with the EAP-TLS or PEAP-TLS authentication methods. To deploy computer certificates in your organization, first deploy a PKI. You'll then need to install a computer certificate for each computer. The easiest way to accomplish this is if Windows Certificate Services is installed as an enterprise CA. then, configure group policy settings for computer certificate autoenrollment.

When the wireless client attempts computer-level authentication for a wireless connection, the wireless client computer sends the computer certificate during the authentication process.

Requirements for PKI

Requirements for PKI for a protected wireless network are the following:

  • For computer-level authentication with EAP-TLS or PEAP-TLS, you must install computer certificates, also known as machine certificates, on each wireless client. The computer certificates of the wireless clients must be valid and verifiable by the NPS servers; the NPS servers must have a root CA certificate for the CA that issued the computer certificates of the wireless client.
  • For user-level authentication with EAP-TLS or PEAP-TLS, you must use a smart card or you must install a user certificate on each wireless client.
    The smart card or user certificates of the wireless clients must be valid and verifiable by the NPS servers; the NPS servers must have the root CA certificates of the issuing CAs of the smart card or user certificates of the wireless clients.
  • You must install the root CA certificates of the issuing CA of the NPS server computer certificates on each wireless client.
    The computer certificates of the NPS servers must be valid and verifiable by each wireless client; the wireless clients must have a root CA certificates for the CAs that issued the computer certificates of the NPS servers.
    The computer certificates of the NPS servers must be verifiable by the wireless clients; the wireless clients must have the root CA certificate of the issuing CA of the computer certificates of the NPS servers.
  • For EAP-TLS authentication, the requirements for the user certificate, smart card certificate, or computer certificate of the wireless client are as follows:
    1. The certificate must contain a private key.
    2. The certificate must be issued by an enterprise CA or mapped to a user or computer account in Active Directory.
    3. The certificate must be chained to a trusted root CA on the NPS server and must not fail any of the checks that are performed by CryptoAPI and specified in the network policy for wireless connections.
    4. The certificate must be configured with the Client Authentication purpose in the Enhanced Key Usage field (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2).
    5. The Subject Alternative Name field must contain the user principal name (UPN) of the user or computer account.
  • For EAP-TLS authentication, the requirements for the computer certificate of the NPS erver are as follows:
    1. The certificate must contain a private key.
    2. The Subject field must contain a value.
    3. The certificate must be chained to a trusted root CA on the wireless clients and must not fail any of the checks that are performed by CryptoAPI and specified in the network policy for wireless connections.
    4. The certificate must be configured with the Server Authentication purpose in the Enhanced Key Usage field (the object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1).
    5. The certificate must be configured with a required cryptographic service provider (CSP) value of Microsoft RSA SChannel Cryptographic provider.
    6. The Subject Alternative Name field of the certificate, if used, must contain the DNS name of the NPS server.

Uses for PKI

Best practices for the PKI for protected wireless access are the following:

  • For computer certificates with EAP-TLS or PEAP-TLS, if you are using a Windows Server 2008 enterprise CA as an issuing CA, configure your Active Directory domain for autoenrollment of computer certificates using a Computer Configuration group policy. Each computer that is a member of the domain automatically requests a computer certificate when the Computer Configuration group policy is updated.
  • For registry-based user certificates for EAP-TLS or PEAP-TLS, if you are using a Windows Server 2008 enterprise CA as an issuing CA, use a User Configuration group policy to configure your Active Directory domain for autoenrollment of user certificates. Each user who successfully logs on to the domain automatically requests a user certificate when the User Configuration group policy is updated.
  • If you have purchased third-party computer certificates for your NPS servers for PEAPMS- CHAP v2 authentication and the wireless clients do not have the root CA certificate of the issuing CA of the NPS server computer certificates installed, use a group policy to install the root CA certificate of the issuing CA of the NPS server computer certificates on your wireless clients. Each computer that is a member of the domain automatically receives and installs the root CA certificate when the Computer Configuration group policy is updated.
  • For EAP-TLS, PEAP-TLS, and PEAP-MS-CHAP v2 authentication, it is possible to configure the wireless clients so that they do not validate the certificate of the NPS server. If so, it is not required to have computer certificates on the NPS servers and their root CA certificates on wireless clients. However, having the wireless clients validate the certificate of the NPS server is recommended for mutual authentication of the wireless client and NPS server. With mutual authentication, you can protect your wireless clients from connecting to rogue wireless APs with spoofed authentication servers.
[Previous] [Contents] [Next]

In this tutorial:

  1. IEEE 802.11 Wireless Networks
  2. Support for IEEE 802.11 Standards
  3. Wireless Security
  4. WPA
  5. Planning and Design Considerations
  6. Wireless Authentication Modes
  7. Intranet Infrastructure
  8. Wireless AP Placement
  9. Authentication Infrastructure
  10. Wireless Clients
  11. Windows Vista Wireless Policy
  12. Windows XP Wireless Policy
  13. Command-Line Configuration
  14. PKI
  15. 802.1X Enforcement with NAP
  16. Deploying Protected Wireless Access
  17. Configuring Active Directory for Accounts and Groups
  18. Deploying Wireless APs
  19. Configuring Wireless Clients
  20. Configuring and Deploying Wireless Profiles
  21. Maintenance for a Protected Wireless
  22. Troubleshooting Wireless Connections
  23. Network Diagnostics Framework Support for Wireless Connections
  24. Wireless Diagnostics Tracing
  25. NPS Event Logging
  26. Troubleshooting the Windows Wireless Client
  27. Troubleshooting the Wireless AP
  28. Common Wireless AP Problems
  29. Troubleshooting the Authentication Infrastructure
  30. Troubleshooting Certificate-Based Validation
  31. Troubleshooting Password-Based Validation