rss logo

Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points

WiFi Logo

I've demonstrated how to set up a WPA Enterprise architecture with PEAP-MSCHAPv2. You can find the tutorial here. However, as mentioned in the article, while it's relatively simple to configure, it may not be the most secure way to protect your WiFi. If security is a priority for you or your company, I highly recommend using EAP-TLS instead. And the good news is that's precisely what I'll be discussing here!

In this guide, we will learn how to implement WPA Enterprise access using the most secure protocol for WiFi connections: EAP-TLS.

We will focus on setting up an architecture oriented towards Microsoft and Ubiquiti. As EAP-TLS relies on a PKI, it requires a Certificate Authority (CA). Therefore, we will also configure Active Directory Certificate Services (AD CS) to distribute certificates to both Supplicants and the Authentication Server, which will be a NPS server (RADIUS server from Microsoft).

Network diagram showing EAP-TLS and RADIUS frames exchanged between a WiFi supplicant, an authenticator and a RADIUS server

Active Directory Certificate Services

The Active Directory Certificate Services (AD CS) enables the issuance and management of public key infrastructure (PKI) certificates. In this setup, it will facilitate the provision of certificates that will allow each user in an Active Directory to authenticate securely.

Installing the AD CS Role

We have two options for installing the AD CS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Graphical User Interface (GUI)

  • Using the Server Manager dashboard, navigate to Add Roles and Features:
Windows Server | Server Manager Dashboard - Add Roles and Features
  • Click Next:
Before you begin window from add roles and feature wizard
  • Select Role-based or feature-based installation On the Installation Type menu then click Next:
Screenshot of the Installation Type menu during the Role-based or feature-based
  • Select your AD CS server and click Next:
FenĂȘtre Windows d'installation de roles lors de l'Ă©tape de selection du serveur
  • Check the Active Directory Certificate Services box and click Next:
Windows role installation window when adding the Active Directory Certificate Services role
  • Click Next on the Features menu:
Windows installation window for roles in the add functionality stage
  • Read the Active Directory Certificate Services description if you want, then click Next:
Windows role installation window in the step describing the ADCS role
  • Check the Certificate Authority box and click Next:
Windows role installation window when adding the service role: certification authority
  • Check the Restart destination server box to allow it to restart if needed, then click Install:
Windows installation window for roles at the installation confirmation stage, with the reboot checkbox ticked.
  • Open the Server Manager dashboard and navigate to the Post-deployment Configuration:
post-deployment popup for a role on a windows server
  • Change Default credentials if you want, then click Next:
Windows window for ADCS role configuration when specifying the user account to configure this role
  • Select Certificate Authority role and click Next to continue:
Screenshot of selecting the Certificate Authority role during the installation in the Ubiquiti Wi-Fi EAP-TLS setup
  • Choose Enterprise CA and click Next:
Windows window of ADCS role configuration when choosing CA installation type (here Enterprise CA is checked).
  • Select Root CA:
Windows window of ADCS role configuration when choosing CA installation type (here Root CA is checked).
  • We create a brand new private key:
Windows window for ADCS role configuration when choosing the private key type
  • Choose proper cryptographic options:
Windows window of ADCS role configuration when setting key size and cryptographic algorithm
  • Specify the name of the CA:
Windows window of the ADCS role configuration when setting the CA name
  • Specify the valid period for the certificate, 10 years seems to be good, given that we'll probably all be dead by then:
Windows window of ADCS role configuration when setting certificate validity period
  • Specify the database locations:
FenĂȘtre Windows de la configuration du role ADCS lors de la configuration de l'emplacement des base de donnĂ©es
  • Check the global configuration and click Configure to run the configuration:
FenĂȘtre Windows de la configuration du role ADCS lors de l'Ă©tape de confirmation
  • Once the Configuration succeeded click Close:
Windows window of ADCS role configuration upon confirmation of successful role installation

Configuring the AD CS Role

From the ADCS server, we need to create two certificate templates: one for the Authentication Server (NPS), which will allow to generate a Computer certificate, and another for the Supplicants, which will allow the Domain Users to authenticate.

  • Open the Certification Authority management console:
windows program execution window with certsrv.msc filled in
  • Go to the Certification Templates menu and delete templates that you don't need (in my case, I deleted everything as I just need it for the EAP-TLS authentication):
ADCS configuration tool windows when deleting certificate creation templates

Create The Certificates Template

  • Open the Certificate Templates Console by right-clicking the Certificate Templates folder and selecting Manage:
windows window of the ADCS service configuration tool, right-clicking on the certificate templates folder
Authentication Users Certificates Template (For Supplicants)
  • Do a right-click on User template and select Duplicate Template:
windows for certificate template management when duplicating a user template
  • Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:
compatibility tab in the windows properties window of a new model
  • Give a name to the Template:
general tab in the windows properties window of a new model
  • Upgrade the key size:
cryptography tab in the windows properties window of a new model
  • To enable automatic deployment of the certificates via GPO, check the Autoenroll box for Domain Users:
security tab in the windows properties window of a new model
  • Please note that the E-mail name is required for AD users who will request certificates. This means an email address should be entered in the user field of the Active Directory:
correspondence between the window properties of a new template, Subject Name tab, and the window properties of an active directory user

Finally, click OK to create the template.

  • From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
windows of the ADCS configuration tool when requesting the creation of a new certificate model to be issued
  • Select the previously created template EAP-TLS:
windows when selecting an ADCS certificate model
  • The EAP-TLS template should appear inside the Certificate Templates folder:
windows window of the ADCS service configuration tool with only the EAP-TLS model in the certificate model folder
Authentication Server Certificates Template (For NPS Server)
  • Open the Certificate Templates Console by right-clicking on the Certificate Templates folder and selecting Manage:
Screenshot of opening the Certificate Templates Console
  • Right-click on Computer template and select Duplicate Template:
Screenshot of duplicating the Computer template
  • Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:
Screenshot of setting Compatibility Settings
  • Provide a name for the Template:
Screenshot of providing a name for the Template
  • Optional, you can upgrade the key size to improve security:
Screenshot of upgrading the key size
  • To enable automatic deployment of the certificates via GPO, check the Autoenroll box for Domain Computers:
security tab in the windows properties window of a new certificate model

Finally, click OK to create the template.

  • From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
windows of the ADCS service configuration tool when adding a new certificate model for distribution
  • Select the previously created template NPS:
fenĂȘtre windows de sĂ©lection de modĂšle de certificat
  • The NPS template should appear inside the Certificate Templates folder:
ADCS service configuration tool window with only EAP-TLS and NPS templates in certificate template folder

Authentication Server (NPS)

Installing the NPS Role

We have two options for installing the NPS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

Graphical User Interface (GUI)

  • Using the Server Manager dashboard, navigate to Add Roles and Features:
Windows Server | Server Manager Dashboard - Add Roles and Features
  • Select Role-based or feature-based installation:
Add Roles and Features | Select installation type
  • Select the server:
Add Roles and Features | Select destination server
  • Select the Network Policy Server role:
Add Roles and Features | Select server roles
  • Just click Next:
Add Roles and Features | Select features
  • Check Restart destination server and click on Install:
Add Roles and Features | Confirm installation selections

Certificate Distribution for the NPS Server

With the AD CS correctly configured we can request a computer certificate from the NPS server.

Manually through the Certificate Management Console

  • From the NPS server, open the Certificate Management Console for the current computer:
Screenshot of opening the Certificate Management Console
  • Right-click on the Personal folder and select Request New Certificate…:
Screenshot of the request for a new certificate
  • Click Next to start the certificate enrollment process:
Screenshot of the certificate enrolment process
  • Select the Active Directory Enrollment Policy and click Next to continue:
Screenshot of Active Directory enrollment strategy selection
  • Select the previously set NPS Policy and click Enroll:
Screenshot of NPS strategy selection for enrolment
  • Simply click Finish once the enrollment process is over:
Screenshot of the end of the certificate enrolment process
  • After clicking Refresh, you should see your Computer certificate appear:
Screenshot of computer certificate display after enrolment

Automatically through Group Policy (GPO)

In order to automate the process of certificate renewal, we can create a GPO.

  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Screenshot of editing the Certificate Services Client - Auto-Enrollment policy
  • Enable the Configuration Model and check the boxes to enable the automation of certificate renewal:
Screenshot of enabling Configuration Model and automating certificate renewal
  • Do a gpupdate to get a certificate:
C:\> gpupdate

Configure NPS

  • Open the Network Policy Server Console:
Windows Run window with 'nps.msc' in the Open field

Declare Access Point as RADIUS Clients

  • Navigate to NPS > RADIUS Clients and Servers > RADIUS Client and click on New:
Screenshot of adding a new RADIUS Client in the NPS setup
  • For each Access Point, provide a Name, set the IP address, and create a strong password (use the same one for every Access Point):
Screenshot of configuring RADIUS Client settings with Name, IP address, and password
  • You should see all Access Point previously added in the RADIUS Clients folder:
Screenshot of viewing all previously added Access Points in the RADIUS Clients folder

Create a Network Policy

Now we need to create a Network Policy where we will define which group of users will be able to connect and the protocols used.

  • Click New in the Network Policies folder:
Screenshot of adding a new Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Give a name to the Policy:
Screenshot of naming the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click Add to specify the condition:
Screenshot of adding a condition to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Select User Groups, and click Add Groups…:
Screenshot of selecting User Groups and adding groups to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Add an Active Directory group of users, such as Domain Users:
Screenshot of adding an Active Directory group to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Select Access granted:
Screenshot of selecting Access granted in the Network Policy setup
  • Choose Microsoft: Smart Card or other certificate as EAP type and edit the configuration:
Screenshot of selecting Microsoft: Smart Card or other certificate as EAP type in the Ubiquiti Wi-Fi EAP-TLS setup
  • Select the newly deployed certificate:
Screenshot of selecting the newly deployed certificate in the Ubiquiti Wi-Fi EAP-TLS setup
  • Click Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Click Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Finally, click Finish to create the Policy:
Screenshot of clicking Finish to create the Policy in the Ubiquiti Wi-Fi EAP-TLS setup

UniFi Network Server

We now need to configure our UniFi Network Server to integrate the RADIUS (NPS) server.

  • Go to the Profiles menu and create a new RADIUS profile:
Creating a new RADIUS profile from the Unifi Server Web interface
  • Click on Create New:
Add a new RADIUS server from the Unifi Server Web interface
  • Give a Name to the RADIUS profile and add the NPS server IP address for the Authentication Server and the RADIUS Accounting Server. Don't forget to add the password previously set on the NPS server, set the ports, and then click the Add buttons to validate the configuration:
RADIUS profile parameters for the Unifi Server Web interface with the authentication and accounting server
  • Now, go to the WiFi menu, and either add a new WiFi profile or modify an existing one:
WiFi settings page of the Unifi Server Web interface
  • Set the Security Protocol and the RADIUS Profile:
Advanced WiFi settings from the Unifi Server Web interface

Supplicant (Windows Stations)

Now we will see how the supplicants will obtain the certificate they will use for authentication.

Supplicant Certificate Distribution

Manually through the Certificate Management Console

  • Open the Certificate Management Console for the current user on the Supplicant machine:
Screenshot of opening the Certificate Management Console for the current user on the Supplicant machine
  • Do a right-click on Personal and select Request New Certificate…:
Screenshot of right-clicking on Personal and selecting Request New Certificate in the Certificate Management Console
  • Click Next to start the certificate enrollment process:
Screenshot of clicking Next to start the certificate enrollment process
  • Select the Active Directory Enrollment Policy and click Next to continue:
Screenshot of selecting the Active Directory Enrollment Policy and clicking Next to continue the certificate enrollment process
  • Select the EAP-TLS Policy that we previously set and click Enroll:
Screenshot of selecting the EAP-TLS Policy and clicking Enroll to continue the certificate enrollment process
  • Simply click Finish once the enrollment process is over:
Screenshot of clicking Finish to complete the certificate enrollment process
  • After refreshing, you should see your Client Authentication certificate:
Screenshot of the Client Authentication certificate after refreshing the Certificate Management Console

Automatically through Group Policy (GPO)

  • Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Screenshot of navigating to Certificate Services Client - Auto-Enrollment policy in Group Policy
  • Enable the Configuration Model and check the boxes to enable the automation of renewing certificates:
Screenshot of enabling Configuration Model and checking the boxes for automation in Group Policy
  • Do a gpupdate to get a certificate:
C:\> gpupdate

The supplicants can now connect to the WPA Enterprise WiFi Access using EAP-TLS.

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address