rss logo

Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points

WiFi Logo

I've shown how to set up a WPA Enterprise architecture with PEAP-MSCHAPv2. You can find the tutorial here. However, as mentioned in the article, although it's relatively simple to set up, it may not be the most secure way to protect your WiFi. If security is a priority for you or your company, I strongly recommend using EAP-TLS instead. And the good news is that's exactly what I'm going to talk about here!

In this guide, we'll learn how to implement WPA Enterprise access using the most secure protocol for WiFi connections: EAP-TLS.

This lab has been realised using Ubiquiti WiFi equipment, but it can be reproduced on other WPA Enterprise-compatible WiFi hardware. As EAP-TLS is a PKI based, it requires a Certificate Authority (CA). Consequently, we will also configure Active Directory Certificate Services (AD CS) to distribute certificates to Supplicants and to the Authentication Server, which will be an NPS server (Microsoft's RADIUS server).

Network diagram showing EAP-TLS and RADIUS frames exchanged between a WiFi supplicant, an authenticator and a RADIUS server

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) enables the issuance and management of Public Key Infrastructure (PKI) certificates. In this configuration, it will facilitate the provision of certificates that enable every Active Directory user wishing to connect to the company's WiFi to authenticate themselves in complete security.

Installing the AD CS Role

We have two options for installing the AD CS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Graphical User Interface (GUI)

  • In the Server Manager dashboard, navigate to Add Roles and Features:
Windows Server | Server Manager Dashboard - Add Roles and Features
  • Click on Next:
Before you begin window from add roles and feature wizard
  • Select Role-based or feature-based installation in the Installation Type menu, then click Next:
Screenshot of the Installation Type menu during the Role-based or feature-based
  • Select your AD CS server and click Next:
Fenêtre Windows d'installation de roles lors de l'étape de selection du serveur
  • Check the Active Directory Certificate Services box and click Next:
Windows role installation window when adding the Active Directory Certificate Services role
  • Click on Next in the Features menu:
Windows installation window for roles in the add functionality stage
  • Read the description of Active Directory Certificate Services if you wish, then click Next:
Windows role installation window in the step describing the ADCS role
  • Check the Certificate Authority box and click Next:
Windows role installation window when adding the service role: certification authority
  • Check the Restart destination server box to enable it to restart automatically, then click Install:
Windows installation window for roles at the installation confirmation stage, with the reboot checkbox ticked.
  • Open the Server Manager dashboard and navigate to Post-deployment Configuration:
post-deployment popup for a role on a windows server
  • Modify the Default credentials if you wish, then click Next:
Windows window for ADCS role configuration when specifying the user account to configure this role
  • Select the Certificate Authority role and click Next to continue:
Screenshot of selecting the Certificate Authority role during the installation in the Ubiquiti Wi-Fi EAP-TLS setup
  • Choose Enterprise CA and click Next:
Windows window of ADCS role configuration when choosing CA installation type (here Enterprise CA is checked).
  • Select Root CA:
Windows window of ADCS role configuration when choosing CA installation type (here Root CA is checked).
  • Choose to create a new private key:
Windows window for ADCS role configuration when choosing the private key type
  • Choose robust cryptographic options:
Windows window of ADCS role configuration when setting key size and cryptographic algorithm
  • Specify the name of the CA:
Windows window of the ADCS role configuration when setting the CA name
  • Specify the validity period for the certificate, 10 years seems like a good length, given that we'll probably all be dead by then:
Windows window of ADCS role configuration when setting certificate validity period
  • Specify the database locations:
Fenêtre Windows de la configuration du role ADCS lors de la configuration de l'emplacement des base de données
  • Check the global configuration and click on Configure to run the configuration:
Fenêtre Windows de la configuration du role ADCS lors de l'étape de confirmation
  • Once the Configuration succeeded, click on Close:
Windows window of ADCS role configuration upon confirmation of successful role installation

Configuring the AD CS Role

From the ADCS server, we need to create two certificate templates: one for the Authentication Server (NPS), which will generate a Computer certificate, and another for Supplicants, which will allow Domain Users to authenticate themselves.

  • Open the Certification Authority management console:
windows program execution window with certsrv.msc filled in
  • (Optional) Go to the Certification Templates menu and delete the templates you don't need (in my case, I've deleted everything because I only need one for EAP-TLS authentication):
ADCS configuration tool windows when deleting certificate creation templates

Create Certificate Template

  • Open the Certificate Templates Console by right-clicking on the Certificate Templates folder and selecting Manage:
windows window of the ADCS service configuration tool, right-clicking on the certificate templates folder
Authentication User Certificate Template (For Supplicants)
  • Right-click on the User template and select Duplicate Template:
windows for certificate template management when duplicating a user template
  • Optional, but if you have a recent architecture, set to the most recent systems in the Compatibility Settings:
compatibility tab in the windows properties window of a new model
  • Give the Template a name:
general tab in the windows properties window of a new model
  • Increase key size for greater security:
cryptography tab in the windows properties window of a new model
  • To enable automatic deployment of certificates via GPO, check the Autoenroll box for Domain Users:
security tab in the windows properties window of a new model
  • Please note that the name of the e-mail address is required for AD users requesting certificates. This means an e-mail address must be entered in the Active Directory user properties:
correspondence between the window properties of a new template, Subject Name tab, and the window properties of an active directory user

Finally, click OK to create the template.

  • From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
windows of the ADCS configuration tool when requesting the creation of a new certificate model to be issued
  • Select the EAP-TLS template created earlier:
windows when selecting an ADCS certificate model
  • The EAP-TLS template should appear in the Certificate Templates folder:
windows window of the ADCS service configuration tool with only the EAP-TLS model in the certificate model folder
Authentication Server Certificate Template (For NPS Server)
  • Open the Certificate Templates Console by right-clicking on the Certificate Template folder and selecting Manage:
Screenshot of opening the Certificate Templates Console
  • Right-click on Computer template and select Duplicate Template:
Screenshot of duplicating the Computer template
  • Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:
Screenshot of setting Compatibility Settings
  • Give the Template a name:
Screenshot of providing a name for the Template
  • Optional, but we can modify the key size to increase security:
Screenshot of upgrading the key size
  • To enable automatic deployment of certificates via GPO, check the Autoenroll box for Domain Computers:
security tab in the windows properties window of a new certificate model

Finally, click OK to create the template.

  • In the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
windows of the ADCS service configuration tool when adding a new certificate model for distribution
  • Select the NPS template created earlier:
fenêtre windows de sélection de modèle de certificat
  • The NPS template should appear in the Certificate Templates folder:
ADCS service configuration tool window with only EAP-TLS and NPS templates in certificate template folder

Authentication Server (NPS)

Installing the NPS Role

We have two options for installing the NPS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

Graphical User Interface (GUI)

  • In the Server Manager dashboard, navigate to Add Roles and Features:
Windows Server | Server Manager Dashboard - Add Roles and Features
  • Select Role-based or feature-based installation:
Add Roles and Features | Select installation type
  • Select the server:
Add Roles and Features | Select destination server
  • Select the Network Policy Server role:
Add Roles and Features | Select server roles
  • Just click Next:
Add Roles and Features | Select features
  • Check the Restart destination server box and click on Install:
Add Roles and Features | Confirm installation selections

Certificate Distribution for the NPS Server

Once the AD CS has been correctly configured, we can request a computer certificate from the NPS server.

Manually via the Certificate Management Console

  • From the NPS server, open the Certificate Management Console for the current computer:
Screenshot of opening the Certificate Management Console
  • Right-click on the Personal folder and select Request New Certificate…:
Screenshot of the request for a new certificate
  • Click Next to start the certificate enrollment process:
Screenshot of the certificate enrolment process
  • Select the Active Directory Enrollment Policy and click Next to continue:
Screenshot of Active Directory enrollment strategy selection
  • Select the previously defined NPS Policy and click Enroll:
Screenshot of NPS strategy selection for enrolment
  • Simply click on Finish when the enrollment process is complete:
Screenshot of the end of the certificate enrolment process
  • After clicking on Refresh, you should see your computer's certificate appear:
Screenshot of computer certificate display after enrolment

Automatically through Group Policy (GPO)

To automate the certificate renewal process, we can create a GPO.

  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Screenshot of editing the Certificate Services Client - Auto-Enrollment policy
  • Enable the Configuration Model and check the boxes to enable automatic certificate renewal:
Screenshot of enabling Configuration Model and automating certificate renewal
  • Run gpupdate to obtain a certificate:
C:\> gpupdate

Configure NPS

  • Open the Network Policy Server console:
Windows Run window with 'nps.msc' in the Open field

Declare Access Point as RADIUS Clients

  • Navigate to NPS > RADIUS Clients and Servers > RADIUS Client and click New:
Screenshot of adding a new RADIUS Client in the NPS setup
  • For each Access Point, give it a Name, set the IP address, and create a strong password (use the same one for every Access Point):
Screenshot of configuring RADIUS Client settings with Name, IP address, and password
  • You should see all previously added Access Point in the RADIUS Clients folder:
Screenshot of viewing all previously added Access Points in the RADIUS Clients folder

Creating a Network Policy

We now need to create a Network Policy in which we define the group of users who can connect and the protocols used.

  • Click New in the Network Policies folder:
Screenshot of adding a new Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Give Policy a name:
Screenshot of naming the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click on Add to specify the condition:
Screenshot of adding a condition to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Select User Groups, then click on Add Groups…:
Screenshot of selecting User Groups and adding groups to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Add an Active Directory user group, such as Domain Users:
Screenshot of adding an Active Directory group to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup
  • Click on Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Select Access granted:
Screenshot of selecting Access granted in the Network Policy setup
  • Choose Microsoft: Smart Card or other certificate as the EAP type and edit the configuration:
Screenshot of selecting Microsoft: Smart Card or other certificate as EAP type in the Ubiquiti Wi-Fi EAP-TLS setup
  • Select the certificate previously issued:
Screenshot of selecting the newly deployed certificate in the Ubiquiti Wi-Fi EAP-TLS setup
  • Click on Next:
Screenshot of proceeding to the next step in the Network Policy setup
  • Click on Next again:
Screenshot of proceeding to the next step in the Network Policy setup
  • Finally, click on Finish to create the Policy:
Screenshot of clicking Finish to create the Policy in the Ubiquiti Wi-Fi EAP-TLS setup

UniFi Network Server

We now need to configure our UniFi Network Server to integrate the RADIUS (NPS) server.

  • Go to the Profiles menu and create a new RADIUS profile:
Creating a new RADIUS profile from the Unifi Server Web interface
  • Click on Create New:
Add a new RADIUS server from the Unifi Server Web interface
  • Give the RADIUS profile a Name and add the IP address of the NPS server for the Authentication Server and the RADIUS Accounting Server. Don't forget to add the password previously set on the NPS server, set the ports, then click on the Add buttons to validate the configuration:
RADIUS profile parameters for the Unifi Server Web interface with the authentication and accounting server
  • Now go to the WiFi menu and add a new WiFi profile or modify an existing one:
WiFi settings page of the Unifi Server Web interface
  • Configure the Security Protocol and RADIUS Profile:
Advanced WiFi settings from the Unifi Server Web interface

Supplicant (Windows Stations)

We'll now look at how supplicants obtain the certificate they'll use for authentication. We'll look at two methods: a manual method and an automatic method via GPO.

Certificate Distribution to Supplicants

Manually via the Certificate Management Console

  • Open the Certificate Management Console for the current user on the Supplicant machine:
Screenshot of opening the Certificate Management Console for the current user on the Supplicant machine
  • Right-click on Personal and select Request New Certificate…:
Screenshot of right-clicking on Personal and selecting Request New Certificate in the Certificate Management Console
  • Click Next to start the certificate enrollment process:
Screenshot of clicking Next to start the certificate enrollment process
  • Select the Active Directory Enrollment Policy and click Next to continue:
Screenshot of selecting the Active Directory Enrollment Policy and clicking Next to continue the certificate enrollment process
  • Select the EAP-TLS Policy we defined earlier and click on Enroll:
Screenshot of selecting the EAP-TLS Policy and clicking Enroll to continue the certificate enrollment process
  • Simply click on Finish when the enrollment process is complete:
Screenshot of clicking Finish to complete the certificate enrollment process
  • After refreshing, you should see your Client Authentication certificate in the user certificate store:
Screenshot of the Client Authentication certificate after refreshing the Certificate Management Console

Automatically via a Group Policy (GPO)

  • Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Screenshot of navigating to Certificate Services Client - Auto-Enrollment policy in Group Policy
  • Enable the Configuration Model and check the boxes to enable automatic certificate renewal:
Screenshot of enabling Configuration Model and checking the boxes for automation in Group Policy
  • Run gpupdate to get a certificate:
C:\> gpupdate

The supplicants should now be able to connect to WPA Enterprise WiFi Access using EAP-TLS.

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address