Setup NPS with EAP-TLS for Aruba WIFI

Steps to setup NPS with EAP-TLS for Aruba WIFI

The same components in Setup NPS with PEAP for Aruba WIFI are reused in this lab

EAP-TLS (Transport Layer Security) provides for certificate-based and mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications between the WLAN client and the access point.

User or Machine Certificate based authentication are supported with EAP-TLS

No changes is required from the previous lab

The following changes are required based on the configuration of NPS for PEAP-MSCHAPv2

Add Domain Computers or Computer Group for Machine Certificate Authentication in Network Policies

Replace PEAP Authentication with Microsoft:Smart Card or other certificate. Remove all Secure Authentication Methods as Certificate Authentication will be used

Download Trial version of NPS Log Monitor to check the NPS log file – Optional Steps

Refer to Auto Enroll Certificate with Group Policy on how to configure Auto Enrollment for Computer & User certificate with GPO

Refer to Deploy Wireless Network with Group Policy

Windows 10 VM with WIFI Passthrough is used

Open PowerShell with Administrator Right to verify the Computer Certificate is generated

Get-ChildItem cert:\LocalMachine\MY |fl

Subject      : CN=AVENTIS-WIN10C.LAB.AVENTISLAB.COM
Issuer       : CN=AventisLab Root CA, DC=LAB, DC=AVENTISLAB, DC=COM
Thumbprint   : 4B7A9AC1E6B4683F3221074D66A3892EB0FBDD08
FriendlyName :
NotBefore    : 23/3/2020 3:02:25 AM
NotAfter     : 23/3/2021 3:02:25 AM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
               System.Security.Cryptography.Oid...}

Windows 10 connect to LAB (EAP-TLS enforced SSID) successfully with machine certificate

Computer Name displayed in list of active client connected to Aruba IAP

IAP315# show client

Client List
-----------
Name                                    IP Address     MAC Address        OS      ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----                                    ----------     -----------        --      -----  ------------  -------  ----  ----  ------------               ------    ------------
host/AVENTIS-WIN10C.LAB.AVENTISLAB.COM  192.168.1.136  f8:63:3f:5c:34:a1  Win 10  LAB    IAP315        100E     AC    LAB   fe80::d452:e125:7d06:486e  56(good)  780(good)
Number of Clients   :1
Info timestamp      :1310869

Refer to EAP-TLS Authentication on macOS

Certificate Auto Enrollment will NOT work on Non Domain Joined Windows 10 Machine, and the CA Root Certificate & User Certificate need to be manually imported prior connecting to SSID with EAP-TLS enforced

1. Download CARoot.cer & EAPTLS.pfx

2. Import CARoot.cer to Certificate (Local Computer) – Trusted Root Certificate Authorities – Certificates

3. Import EAPTLS.pfx to Certificate (Current User) – Personal – Certificates

4. Setup a new connection or network in Control Panel – Network and Sharing Center

5. Select Manually Connect to a Wireless Network

6. Enter Network Name = SSID and Security Type = WPA2-Enterprise

7. Click Change Connection Settings

8. Go to Security, and Select Microsoft: Smart Card or other Certificate

Click on Advanced Settings and checked Specify Authentication Mode: User Authentication

9. Windows 10 connected to WIFI with User Certificate successfully

Steps to configure EAP-TLS Authentication on Ubuntu

1. Convert EAP-TLS.pfx to EAPTLS.crt & EAPTLS.key

#Export User Certificate from PFX
openssl pkcs12 -in EAPTLS.pfx -clcerts -nokeys -out EAPTLS.crt
Enter Import Password:

#Export Private Key from PFX
openssl pkcs12 -in EAPTLS.pfx -nocerts -out EAPTLS.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

2. Download CARoot.cer, EAPTLS.crt & EAPTLS.key from http://192.168.1.232:8002
3. Configure the Security Profile as below

• Security = WPA & WPA3 Enterprise
• Authentication = TLS
• Identify = elptls (username defined in AD)
• User Certificate = EAPTLS.crt
• CA Certificate = CARoot.cer
• Private Key = EAPTLS.key
• Private Key Password = (Password defined when export the key file from PFX)

4. Connected to SSID with EAP-TLS enforced with User Certificate

5. Log from Aruba for reference

IAP315# show clients

Client List
-----------
Name    IP Address     MAC Address        OS    ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----    ----------     -----------        --    -----  ------------  -------  ----  ----  ------------               ------    ------------
eaptls  192.168.1.132  f8:63:3f:5c:45:a9  NOFP  LAB    IAP315        6        GN    LAB   fe80::cd78:ddec:be51:ad7f  60(good)  6(poor)
Number of Clients   :1
Info timestamp      :1532839

1. Download CARoot.cer & EAPTLS.pfx via http://192.168.1.232:8002
2. Select & Install both SSL Certificate in Settings-General-Profiles

3. SSL Certificates installed successfully

4. Connect to SSID with EAP-TLS enforced following the settings below

5. Iphone is connected successfully by verifying the log from Aruba AP

IAP315# sh client

Client List
-----------
Name    IP Address     MAC Address        OS     ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----    ----------     -----------        --     -----  ------------  -------  ----  ----  ------------               ------    ------------
eaptls  192.168.1.145  84:a1:34:4a:06:45  Apple  LAB    IAP315        6        GN    LAB   fe80::cca:712e:3c2b:3805   21(good)  13(poor)
Number of Clients   :2
Info timestamp      :1550067
IAP315# Connection to 192.168.1.240 closed.