rss logo

Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points

WiFi Logo

I've demonstrated how to set up a WPA Enterprise architecture with PEAP-MSCHAPv2. You can find the tutorial here. However, as mentioned in the article, while it's relatively simple to configure, it may not be the most secure way to protect your WiFi. If security is a priority for you or your company, I highly recommend using EAP-TLS instead. And the good news is that's precisely what I'll be discussing here!

In this guide, we will learn how to implement WPA Enterprise access using the most secure protocol for WiFi connections: EAP-TLS.

We will focus on setting up an architecture oriented towards Microsoft and Ubiquiti. As EAP-TLS relies on a PKI, it requires a Certificate Authority (CA). Therefore, we will also configure Active Directory Certificate Services (AD CS) to distribute certificates to both Supplicants and the Authentication Server, which will be a NPS server (RADIUS server from Microsoft).

Network diagram showing EAP-TLS and RADIUS frames exchanged between a WiFi supplicant, an authenticator and a RADIUS server

Active Directory Certificate Services

The Active Directory Certificate Services (AD CS) enables the issuance and management of public key infrastructure (PKI) certificates. In this setup, it will facilitate the provision of certificates that will allow each user in an Active Directory to authenticate securely.

Installing the AD CS Role

We have two options for installing the AD CS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Graphical User Interface (GUI)

  • Using the Server Manager dashboard, navigate to Add Roles and Features:
Windows Server | Server Manager Dashboard - Add Roles and Features
  • Click Next:
Before you begin window from add roles and feature wizard
  • Select Role-based or feature-based installation On the Installation Type menu then click Next:
Screenshot of the Installation Type menu during the Role-based or feature-based
  • Select your AD CS server and click Next:
  • Check the Active Directory Certificate Services box and click Next:
  • Click Next on the Features menu:
  • Read the Active Directory Certificate Services description if you want, then click Next:
  • Check the Certificate Authority box and click Next:
  • Check the Restart destination server box to allow it to restart if needed, then click Install:
  • Open the Server Manager dashboard and navigate to the Post-deployment Configuration:
  • Change Default credentials if you want, then click Next:
  • Select Certificate Authority role and click Next to continue:
Screenshot of selecting the Certificate Authority role during the installation in the Ubiquiti Wi-Fi EAP-TLS setup
  • Choose Enterprise CA and click Next:
  • Select Root CA:
  • We create a brand new private key:
  • Choose proper cryptographic options:
  • Specify the name of the CA:
  • Specify the valid period for the certificate, 10 years seems to be good, given that we'll probably all be dead by then:
  • Specify the database locations:
  • Check the global configuration and click Configure to run the configuration:
  • Once the Configuration succeeded click Close:

Configuring the AD CS Role

From the ADCS server, we need to create two certificate templates: one for the Authentication Server (NPS), which will allow to generate a Computer certificate, and another for the Supplicants, which will allow the Domain Users to authenticate.

  • Open the Certification Authority management console:
  • Go to the Certification Templates menu and delete templates that you don't need (in my case, I deleted everything as I just need it for the EAP-TLS authentication):

Create The Certificates Template

  • Open the Certificate Templates Console by right-clicking the Certificate Templates folder and selecting Manage:
Authentication Users Certificates Template (For Supplicants)
  • Do a right-click on User template and select Duplicate Template:
  • Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:
  • Give a name to the Template:
  • Upgrade the key size:
  • To enable automatic deployment of the certificates via GPO, check the Autoenroll box for Domain Users:
  • Please note that the E-mail name is required for AD users who will request certificates. This means an email address should be entered in the user field of the Active Directory:

Finally, click OK to create the template.

  • From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
  • Select the previously created template EAP-TLS:
  • The EAP-TLS template should appear inside the Certificate Templates folder:
Authentication Server Certificates Template (For NPS Server)
  • Open the Certificate Templates Console by right-clicking on the Certificate Templates folder and selecting Manage:
Screenshot of opening the Certificate Templates Console
  • Right-click on Computer template and select Duplicate Template:
Screenshot of duplicating the Computer template
  • Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:
Screenshot of setting Compatibility Settings
  • Provide a name for the Template:
Screenshot of providing a name for the Template
  • Optional, you can upgrade the key size to improve security:
Screenshot of upgrading the key size
  • To enable automatic deployment of the certificates via GPO, check the Autoenroll box for Domain Computers:

Finally, click OK to create the template.

  • From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
  • Select the previously created template NPS:
  • The NPS template should appear inside the Certificate Templates folder:

Authentication Server (NPS)

Installing the NPS Role

We have two options for installing the NPS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

Graphical User Interface (GUI)

  • Using the Server Manager dashboard, navigate to Add Roles and Features:
Windows Server | Server Manager Dashboard - Add Roles and Features
  • Select Role-based or feature-based installation:
Add Roles and Features | Select installation type
  • Select the server:
Add Roles and Features | Select destination server
  • Select the Network Policy Server role:
Add Roles and Features | Select server roles
  • Just click Next:
Add Roles and Features | Select features
  • Check Restart destination server and click on Install:
Add Roles and Features | Confirm installation selections

Certificate Distribution for the NPS Server

With the AD CS correctly configured we can request a computer certificate from the NPS server.

Manually through the Certificate Management Console

  • From the NPS server, open the Certificate Management Console for the current computer:
  • Right-click on the Personal folder and select Request New Certificate…:
  • Click Next to start the certificate enrollment process:
  • Select the Active Directory Enrollment Policy and click Next to continue:
  • Select the previously set NPS Policy and click Enroll:
  • Simply click Finish once the enrollment process is over:
  • After clicking Refresh, you should see your Computer certificate appear:

Automatically through Group Policy (GPO)

In order to automate the process of certificate renewal, we can create a GPO.

  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Screenshot of editing the Certificate Services Client - Auto-Enrollment policy
  • Enable the Configuration Model and check the boxes to enable the automation of certificate renewal:
Screenshot of enabling Configuration Model and automating certificate renewal
  • Do a gpupdate to get a certificate:
C:\> gpupdate

Configure NPS

  • Open the Network Policy Server Console:
Windows Run window with 'nps.msc' in the Open field

Declare Access Point as RADIUS Clients

  • Navigate to NPS > RADIUS Clients and Servers > RADIUS Client and click on New:
Screenshot of adding a new RADIUS Client in the NPS setup
  • For each Access Point, provide a Name, set the IP address, and create a strong password (use the same one for every Access Point):
Screenshot of configuring RADIUS Client settings with Name, IP address, and password
  • You should see all Access Point previously added in the RADIUS Clients folder:
Screenshot of viewing all previously added Access Points in the RADIUS Clients folder

Create a Network Policy

Now we need to create a Network Policy where we will define which group of users will be able to connect and the protocols used.

  • Click New in the Network Policies folder:
Screenshot of adding a new Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Give a name to the Policy:
Screenshot of naming the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click Add to specify the condition:
Screenshot of adding a condition to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Select User Groups, and click Add Groups…:
Screenshot of selecting User Groups and adding groups to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Add an Active Directory group of users, such as Domain Users:
Screenshot of adding an Active Directory group to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Select Access granted:
Screenshot of selecting Access granted in the Network Policy setup
  • Choose Microsoft: Smart Card or other certificate as EAP type and edit the configuration:
Screenshot of selecting Microsoft: Smart Card or other certificate as EAP type in the Ubiquiti Wi-Fi EAP-TLS setup
  • Select the newly deployed certificate:
Screenshot of selecting the newly deployed certificate in the Ubiquiti Wi-Fi EAP-TLS setup
  • Click Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Click Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Finally, click Finish to create the Policy:
Screenshot of clicking Finish to create the Policy in the Ubiquiti Wi-Fi EAP-TLS setup

UniFi Network Server

We now need to configure our UniFi Network Server to integrate the RADIUS (NPS) server.

  • Go to the Profiles menu and create a new RADIUS profile:
  • Click on Create New:
  • Give a Name to the RADIUS profile and add the NPS server IP address for the Authentication Server and the RADIUS Accounting Server. Don't forget to add the password previously set on the NPS server, set the ports, and then click the Add buttons to validate the configuration:
  • Now, go to the WiFi menu, and either add a new WiFi profile or modify an existing one:
  • Set the Security Protocol and the RADIUS Profile:

Supplicant (Windows Stations)

Now we will see how the supplicants will obtain the certificate they will use for authentication.

Supplicant Certificate Distribution

Manually through the Certificate Management Console

  • Open the Certificate Management Console for the current user on the Supplicant machine:
Screenshot of opening the Certificate Management Console for the current user on the Supplicant machine
  • Do a right-click on Personal and select Request New Certificate…:
Screenshot of right-clicking on Personal and selecting Request New Certificate in the Certificate Management Console
  • Click Next to start the certificate enrollment process:
Screenshot of clicking Next to start the certificate enrollment process
  • Select the Active Directory Enrollment Policy and click Next to continue:
Screenshot of selecting the Active Directory Enrollment Policy and clicking Next to continue the certificate enrollment process
  • Select the EAP-TLS Policy that we previously set and click Enroll:
Screenshot of selecting the EAP-TLS Policy and clicking Enroll to continue the certificate enrollment process
  • Simply click Finish once the enrollment process is over:
Screenshot of clicking Finish to complete the certificate enrollment process
  • After refreshing, you should see your Client Authentication certificate:
Screenshot of the Client Authentication certificate after refreshing the Certificate Management Console

Automatically through Group Policy (GPO)

  • Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Screenshot of navigating to Certificate Services Client - Auto-Enrollment policy in Group Policy
  • Enable the Configuration Model and check the boxes to enable the automation of renewing certificates:
Screenshot of enabling Configuration Model and checking the boxes for automation in Group Policy
  • Do a gpupdate to get a certificate:
C:\> gpupdate

The supplicants can now connect to the WPA Enterprise WiFi Access using EAP-TLS.

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address