Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points

Last updated: Aug 7, 2023

I've demonstrated how to set up a WPA Enterprise architecture with PEAP-MSCHAPv2. You can find the tutorial here. However, as mentioned in the article, while it's relatively simple to configure, it may not be the most secure way to protect your WiFi. If security is a priority for you or your company, I highly recommend using EAP-TLS instead. And the good news is that's precisely what I'll be discussing here!

In this guide, we will learn how to implement WPA Enterprise access using the most secure protocol for WiFi connections: EAP-TLS.

We will focus on setting up an architecture oriented towards Microsoft and Ubiquiti. As EAP-TLS relies on a PKI, it requires a Certificate Authority (CA). Therefore, we will also configure Active Directory Certificate Services (AD CS) to distribute certificates to both Supplicants and the Authentication Server, which will be a NPS server (RADIUS server from Microsoft).

The improvments and advantages of WPA Enterprise are:
- Stronger user authentication compared to standard WPA: with the use of the Extensible Authentication Protocol (EAP) framework
- Individual User Credentials: each user has unique credentials, typically in the form of username and password or digital certificates.
- Centralized Authentication and Management: for example using the RADIUS protocol.
- Fine control of users access: we can easyly add or remove user access.

Network diagram showing EAP-TLS and RADIUS frames exchanged between a WiFi supplicant, an authenticator and a RADIUS server

Active Directory Certificate Services

The Active Directory Certificate Services (AD CS) enables the issuance and management of public key infrastructure (PKI) certificates. In this setup, it will facilitate the provision of certificates that will allow each user in an Active Directory to authenticate securely.

Installing the AD CS Role

We have two options for installing the AD CS role: using PowerShell or the Graphical User Interface.

PowerShell

For a quick installation using PowerShell, run the following command:

PS C:\Users\administrator.STD> Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Graphical User Interface (GUI)

Using the Server Manager dashboard, navigate to Add Roles and Features:

Windows Server | Server Manager Dashboard - Add Roles and Features

Click Next:

Before you begin window from add roles and feature wizard

Select Role-based or feature-based installation On the Installation Type menu then click Next:

Screenshot of the Installation Type menu during the Role-based or feature-based

Select your AD CS server and click Next:

Fenêtre Windows d'installation de roles lors de l'étape de selection du serveur

Check the Active Directory Certificate Services box and click Next:

Windows role installation window when adding the Active Directory Certificate Services role

Click Next on the Features menu:

Windows installation window for roles in the add functionality stage

Read the Active Directory Certificate Services description if you want, then click Next:

Windows role installation window in the step describing the ADCS role

Check the Certificate Authority box and click Next:

Windows role installation window when adding the service role: certification authority

Check the Restart destination server box to allow it to restart if needed, then click Install:

Windows installation window for roles at the installation confirmation stage, with the reboot checkbox ticked.

Open the Server Manager dashboard and navigate to the Post-deployment Configuration:

Change Default credentials if you want, then click Next:

Windows window for ADCS role configuration when specifying the user account to configure this role

Select Certificate Authority role and click Next to continue:

Screenshot of selecting the Certificate Authority role during the installation in the Ubiquiti Wi-Fi EAP-TLS setup

Choose Enterprise CA and click Next:

Windows window of ADCS role configuration when choosing CA installation type (here Enterprise CA is checked).

Select Root CA:

Windows window of ADCS role configuration when choosing CA installation type (here Root CA is checked).

We create a brand new private key:

Windows window for ADCS role configuration when choosing the private key type

Choose proper cryptographic options:

Windows window of ADCS role configuration when setting key size and cryptographic algorithm

Specify the name of the CA:

Windows window of the ADCS role configuration when setting the CA name

Specify the valid period for the certificate, 10 years seems to be good, given that we'll probably all be dead by then:

Windows window of ADCS role configuration when setting certificate validity period

Specify the database locations:

Fenêtre Windows de la configuration du role ADCS lors de la configuration de l'emplacement des base de données

Check the global configuration and click Configure to run the configuration:

Fenêtre Windows de la configuration du role ADCS lors de l'étape de confirmation

Once the Configuration succeeded click Close:

Windows window of ADCS role configuration upon confirmation of successful role installation

Configuring the AD CS Role

From the ADCS server, we need to create two certificate templates: one for the Authentication Server (NPS), which will allow to generate a Computer certificate, and another for the Supplicants, which will allow the Domain Users to authenticate.

Open the Certification Authority management console:

windows program execution window with certsrv.msc filled in

Go to the Certification Templates menu and delete templates that you don't need (in my case, I deleted everything as I just need it for the EAP-TLS authentication):

ADCS configuration tool windows when deleting certificate creation templates

Create The Certificates Template

Open the Certificate Templates Console by right-clicking the Certificate Templates folder and selecting Manage:

windows window of the ADCS service configuration tool, right-clicking on the certificate templates folder

Authentication Users Certificates Template (For Supplicants)

Do a right-click on User template and select Duplicate Template:

windows for certificate template management when duplicating a user template

Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:

compatibility tab in the windows properties window of a new model

Give a name to the Template:

general tab in the windows properties window of a new model

Upgrade the key size:

cryptography tab in the windows properties window of a new model

To enable automatic deployment of the certificates via GPO, check the Autoenroll box for Domain Users:

security tab in the windows properties window of a new model

Please note that the E-mail name is required for AD users who will request certificates. This means an email address should be entered in the user field of the Active Directory:

correspondence between the window properties of a new template, Subject Name tab, and the window properties of an active directory user

Finally, click OK to create the template.

From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:

windows of the ADCS configuration tool when requesting the creation of a new certificate model to be issued

Select the previously created template EAP-TLS:

windows when selecting an ADCS certificate model

The EAP-TLS template should appear inside the Certificate Templates folder:

windows window of the ADCS service configuration tool with only the EAP-TLS model in the certificate model folder

Authentication Server Certificates Template (For NPS Server)

Open the Certificate Templates Console by right-clicking on the Certificate Templates folder and selecting Manage:

Screenshot of opening the Certificate Templates Console

Right-click on Computer template and select Duplicate Template:

Screenshot of duplicating the Computer template

Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:

Screenshot of setting Compatibility Settings

Provide a name for the Template:

Screenshot of providing a name for the Template

Optional, you can upgrade the key size to improve security:

To enable automatic deployment of the certificates via GPO, check the Autoenroll box for Domain Computers:

security tab in the windows properties window of a new certificate model

Finally, click OK to create the template.

From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:

windows of the ADCS service configuration tool when adding a new certificate model for distribution

Select the previously created template NPS:

fenêtre windows de sélection de modèle de certificat

The NPS template should appear inside the Certificate Templates folder:

ADCS service configuration tool window with only EAP-TLS and NPS templates in certificate template folder

Authentication Server (NPS)

Installing the NPS Role

We have two options for installing the NPS role: using PowerShell or the Graphical User Interface.

PowerShell

For a quick installation using PowerShell, run the following command:

PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

Graphical User Interface (GUI)

Using the Server Manager dashboard, navigate to Add Roles and Features:

Select Role-based or feature-based installation:

Add Roles and Features | Select installation type

Select the server:

Add Roles and Features | Select destination server

Select the Network Policy Server role:

Add Roles and Features | Select server roles

Just click Next:

Add Roles and Features | Select features

Check Restart destination server and click on Install:

Add Roles and Features | Confirm installation selections

Certificate Distribution for the NPS Server

With the AD CS correctly configured we can request a computer certificate from the NPS server.

Manually through the Certificate Management Console

From the NPS server, open the Certificate Management Console for the current computer:

Screenshot of opening the Certificate Management Console

Right-click on the Personal folder and select Request New Certificate…:

Screenshot of the request for a new certificate

Click Next to start the certificate enrollment process:

Screenshot of the certificate enrolment process

Select the Active Directory Enrollment Policy and click Next to continue:

Screenshot of Active Directory enrollment strategy selection

Select the previously set NPS Policy and click Enroll:

Screenshot of NPS strategy selection for enrolment

Simply click Finish once the enrollment process is over:

Screenshot of the end of the certificate enrolment process

After clicking Refresh, you should see your Computer certificate appear:

Screenshot of computer certificate display after enrolment

Automatically through Group Policy (GPO)

In order to automate the process of certificate renewal, we can create a GPO.

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:

Screenshot of editing the Certificate Services Client - Auto-Enrollment policy

Enable the Configuration Model and check the boxes to enable the automation of certificate renewal:

Screenshot of enabling Configuration Model and automating certificate renewal

Do a gpupdate to get a certificate:

C:\> gpupdate

Configure NPS

Open the Network Policy Server Console:

Windows Run window with 'nps.msc' in the Open field

Declare Access Point as RADIUS Clients

Navigate to NPS > RADIUS Clients and Servers > RADIUS Client and click on New:

Screenshot of adding a new RADIUS Client in the NPS setup

For each Access Point, provide a Name, set the IP address, and create a strong password (use the same one for every Access Point):

Screenshot of configuring RADIUS Client settings with Name, IP address, and password

You should see all Access Point previously added in the RADIUS Clients folder:

Screenshot of viewing all previously added Access Points in the RADIUS Clients folder

Create a Network Policy

Now we need to create a Network Policy where we will define which group of users will be able to connect and the protocols used.

Click New in the Network Policies folder:

Screenshot of adding a new Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Give a name to the Policy:

Screenshot of naming the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Click Add to specify the condition:

Screenshot of adding a condition to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Select User Groups, and click Add Groups…:

Screenshot of selecting User Groups and adding groups to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Add an Active Directory group of users, such as Domain Users:

Screenshot of adding an Active Directory group to the Network Policy in the Ubiquiti Wi-Fi RADIUS setup

Click Next:

Screenshot of proceeding to the next step in the Network Policy setup

Select Access granted:

Screenshot of selecting Access granted in the Network Policy setup

Choose Microsoft: Smart Card or other certificate as EAP type and edit the configuration:

Screenshot of selecting Microsoft: Smart Card or other certificate as EAP type in the Ubiquiti Wi-Fi EAP-TLS setup

Select the newly deployed certificate:

Screenshot of selecting the newly deployed certificate in the Ubiquiti Wi-Fi EAP-TLS setup

Click Next:

Click Next:

Finally, click Finish to create the Policy:

Screenshot of clicking Finish to create the Policy in the Ubiquiti Wi-Fi EAP-TLS setup

UniFi Network Server

We now need to configure our UniFi Network Server to integrate the RADIUS (NPS) server.

Go to the Profiles menu and create a new RADIUS profile:

Click on Create New:

Add a new RADIUS server from the Unifi Server Web interface

Give a Name to the RADIUS profile and add the NPS server IP address for the Authentication Server and the RADIUS Accounting Server. Don't forget to add the password previously set on the NPS server, set the ports, and then click the Add buttons to validate the configuration:

Now, go to the WiFi menu, and either add a new WiFi profile or modify an existing one:

WiFi settings page of the Unifi Server Web interface

Set the Security Protocol and the RADIUS Profile:

Advanced WiFi settings from the Unifi Server Web interface

Supplicant (Windows Stations)

Now we will see how the supplicants will obtain the certificate they will use for authentication.

Supplicant Certificate Distribution

Manually through the Certificate Management Console

Open the Certificate Management Console for the current user on the Supplicant machine:

Screenshot of opening the Certificate Management Console for the current user on the Supplicant machine

Do a right-click on Personal and select Request New Certificate…:

Screenshot of right-clicking on Personal and selecting Request New Certificate in the Certificate Management Console

Click Next to start the certificate enrollment process:

Screenshot of clicking Next to start the certificate enrollment process

Select the Active Directory Enrollment Policy and click Next to continue:

Screenshot of selecting the Active Directory Enrollment Policy and clicking Next to continue the certificate enrollment process

Select the EAP-TLS Policy that we previously set and click Enroll:

Screenshot of selecting the EAP-TLS Policy and clicking Enroll to continue the certificate enrollment process

Simply click Finish once the enrollment process is over:

Screenshot of clicking Finish to complete the certificate enrollment process

After refreshing, you should see your Client Authentication certificate:

Screenshot of the Client Authentication certificate after refreshing the Certificate Management Console

Automatically through Group Policy (GPO)

Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:

Screenshot of navigating to Certificate Services Client - Auto-Enrollment policy in Group Policy

Enable the Configuration Model and check the boxes to enable the automation of renewing certificates:

Screenshot of enabling Configuration Model and checking the boxes for automation in Group Policy

Do a gpupdate to get a certificate:

C:\> gpupdate

The supplicants can now connect to the WPA Enterprise WiFi Access using EAP-TLS.

Computing

Music

Misc

Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points

Active Directory Certificate Services

Installing the AD CS Role

PowerShell

Graphical User Interface (GUI)

Configuring the AD CS Role

Create The Certificates Template

Authentication Users Certificates Template (For Supplicants)

Authentication Server Certificates Template (For NPS Server)

Authentication Server (NPS)

Installing the NPS Role

PowerShell

Graphical User Interface (GUI)

Certificate Distribution for the NPS Server

Manually through the Certificate Management Console

Automatically through Group Policy (GPO)

Configure NPS

Declare Access Point as RADIUS Clients

Create a Network Policy

UniFi Network Server

Supplicant (Windows Stations)

Supplicant Certificate Distribution

Manually through the Certificate Management Console

Automatically through Group Policy (GPO)

References