Setup NPS with EAP-TLS for Aruba WIFI

  • by

Steps to setup NPS with EAP-TLS for Aruba WIFI

The same components in Setup NPS with PEAP for Aruba WIFI are reused in this lab

EAP-TLS (Transport Layer Security) provides for certificate-based and mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications between the WLAN client and the access point.

User or Machine Certificate based authentication are supported with EAP-TLS

Configuration of Aruba Instant AP

No changes is required from the previous lab

Setup NPS with EAP-TLS for Aruba WIFI

The following changes are required based on the configuration of NPS for PEAP-MSCHAPv2

Add Domain Computers or Computer Group for Machine Certificate Authentication in Network Policies

Setup NPS with EAP-TLS for Aruba WIFI

Replace PEAP Authentication with Microsoft:Smart Card or other certificate. Remove all Secure Authentication Methods as Certificate Authentication will be used

Download Trial version of NPS Log Monitor to check the NPS log file – Optional Steps

Group Policy to Auto Enroll and Deploy Certificates

Refer to Auto Enroll Certificate with Group Policy on how to configure Auto Enrollment for Computer & User certificate with GPO

Group Policy for Wireless Profile (Optional)

EAP-TLS Authentication on Domain Joined Windows 10

Windows 10 VM with WIFI Passthrough is used

Open PowerShell with Administrator Right to verify the Computer Certificate is generated

Get-ChildItem cert:\LocalMachine\MY |fl

Subject      : CN=AVENTIS-WIN10C.LAB.AVENTISLAB.COM
Issuer       : CN=AventisLab Root CA, DC=LAB, DC=AVENTISLAB, DC=COM
Thumbprint   : 4B7A9AC1E6B4683F3221074D66A3892EB0FBDD08
FriendlyName :
NotBefore    : 23/3/2020 3:02:25 AM
NotAfter     : 23/3/2021 3:02:25 AM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
               System.Security.Cryptography.Oid...}

Windows 10 connect to LAB (EAP-TLS enforced SSID) successfully with machine certificate

Computer Name displayed in list of active client connected to Aruba IAP

IAP315# show client

Client List
-----------
Name                                    IP Address     MAC Address        OS      ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----                                    ----------     -----------        --      -----  ------------  -------  ----  ----  ------------               ------    ------------
host/AVENTIS-WIN10C.LAB.AVENTISLAB.COM  192.168.1.136  f8:63:3f:5c:34:a1  Win 10  LAB    IAP315        100E     AC    LAB   fe80::d452:e125:7d06:486e  56(good)  780(good)
Number of Clients   :1
Info timestamp      :1310869

EAP-TLS Authentication on macOS

NPS with EAP-TLS Authentication on Windows 10

Certificate Auto Enrollment will NOT work on Non Domain Joined Windows 10 Machine, and the CA Root Certificate & User Certificate need to be manually imported prior connecting to SSID with EAP-TLS enforced

  1. Download CARoot.cer & EAPTLS.pfx

  1. Import CARoot.cer to Certificate (Local Computer) – Trusted Root Certificate Authorities – Certificates

  1. Import EAPTLS.pfx to Certificate (Current User) – Personal – Certificates

  1. Setup a new connection or network in Control Panel – Network and Sharing Center

  1. Select Manually Connect to a Wireless Network

  1. Enter Network Name = SSID and Security Type = WPA2-Enterprise

  1. Click Change Connection Settings

  1. Go to Security, and Select Microsoft: Smart Card or other Certificate

Click on Advanced Settings and checked Specify Authentication Mode: User Authentication

  1. Windows 10 connected to WIFI with User Certificate successfully

EAP-TLS Authentication on Ubuntu

Steps to configure EAP-TLS Authentication on Ubuntu

  1. Convert EAP-TLS.pfx to EAPTLS.crt & EAPTLS.key
#Export User Certificate from PFX
openssl pkcs12 -in EAPTLS.pfx -clcerts -nokeys -out EAPTLS.crt
Enter Import Password:

#Export Private Key from PFX
openssl pkcs12 -in EAPTLS.pfx -nocerts -out EAPTLS.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

  1. Download CARoot.cer, EAPTLS.crt & EAPTLS.key from http://192.168.1.232:8002
  2. Configure the Security Profile as below
  • Security = WPA & WPA3 Enterprise
  • Authentication = TLS
  • Identify = elptls (username defined in AD)
  • User Certificate = EAPTLS.crt
  • CA Certificate = CARoot.cer
  • Private Key = EAPTLS.key
  • Private Key Password = (Password defined when export the key file from PFX)

EAP-TLS Authentication on Ubuntu

  1. Connected to SSID with EAP-TLS enforced with User Certificate

EAP-TLS Authentication on Ubuntu

  1. Log from Aruba for reference
IAP315# show clients

Client List
-----------
Name    IP Address     MAC Address        OS    ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----    ----------     -----------        --    -----  ------------  -------  ----  ----  ------------               ------    ------------
eaptls  192.168.1.132  f8:63:3f:5c:45:a9  NOFP  LAB    IAP315        6        GN    LAB   fe80::cd78:ddec:be51:ad7f  60(good)  6(poor)
Number of Clients   :1
Info timestamp      :1532839

EAP-TLS Authentication on iPhone

  1. Download CARoot.cer & EAPTLS.pfx via http://192.168.1.232:8002
  2. Select & Install both SSL Certificate in Settings-General-Profiles

  1. SSL Certificates installed successfully

  1. Connect to SSID with EAP-TLS enforced following the settings below

  1. Iphone is connected successfully by verifying the log from Aruba AP
IAP315# sh client

Client List
-----------
Name    IP Address     MAC Address        OS     ESSID  Access Point  Channel  Type  Role  IPv6 Address               Signal    Speed (mbps)
----    ----------     -----------        --     -----  ------------  -------  ----  ----  ------------               ------    ------------
eaptls  192.168.1.145  84:a1:34:4a:06:45  Apple  LAB    IAP315        6        GN    LAB   fe80::cca:712e:3c2b:3805   21(good)  13(poor)
Number of Clients   :2
Info timestamp      :1550067
IAP315# Connection to 192.168.1.240 closed.

EAP-TLS Authentication on Android