Thanks again
Will do cert server
Hi Rene,
I found that to solve the BYOD problem we can use an open source solution such as packetfence âŚ
Iâm trying to implement this solution but I faced some difficulties, did you test already this solution or another open source solution?
I think that with your lessons itâs easiest to implement because you explain very good!
Hi Sam, I havenât tried packetfence yet but I have to say it looks pretty cool. It uses freeradius as the radius server instead of Microsoft nps. If you want to give this a serious shot I would first try to get PEAP and or EAP-TLS working through freeradius before diving into packetfence.
Rene
I think thatâs better if you let NPS for professional authentiaction and use freeradius for BYOD (guest+ personnal devices of employee)?
Corporate devices should be authenticated using 802.1X / RADIUS because itâs far more secure than a pre-shared key. I wouldnât use 802.1X for personal devices because of the administrative overhead (configuring wireless profiles).
For guest users itâs best to create a captive portal and keep the wifi âopenâ or use a pre-shared key. Make sure all ports are disabled with the exception of basic stuff like http, https and such.
my final project year title is IMPLEMENTING SECURE WIRELESS NETWORK TRAFFIC USING EXTENSIBLE AUTHENTICATION PROTOCOL with TRANSPORT LAYER SECURITY (EAP-TLS) . in your opinion, It is related with your post here???
I guess itâs your lucky day then as this is post is 100% about configuring EAP-TLS. You might have to read up on the theory but this is how the implementation is done.
thats mean, EAP-TLS configuration does not require routers and switches?
sir, what is the advantages that we can get by using EAP-TLS compare to other network security?
When you want to use WPA/WPA2 you have two options:
- Personal (pre-shared key)
- Enterprise (802.1x)
The problem with the pre-shared key is that you have no control over the keyâŚit can be shared with everyone so itâs not a scalable solution.
Enterprise is far more secure and supports multiple EAP types. The most advanced one is EAP-TLS which requires certificates for the client and the server for authentication. The client will check if itâs talking to the correct server and the server will check if the client is allowed to connect to the wireless network.
Hi Rene,
Thanks for your post. It was very easy to configure EAP-TLS without any N/W background.
I have one doubt. I have one IP camera which supports 802.1x using EAP-TLS and there is option in its setting tab like âEAPOL version, ID, Password, CA certificates, Client certificates and Private keyâ. from where I can get all these.
Also you explained about setting up RADIUS server in CISCO network cotroller. But here I have Linksys EA4500 wireless router and it does not have these option.
So kindly help me to setup 802.1x environment for this scenario.
Thanks in advance
Karthik
Hi Karthik,
You should be able to select WPA(2)-Enterprise on your EA4500 router instead of WPA-Personal (Pre-shared key).
Devices like printers and cameras can be authenticated using EAP-TLS but itâs more troublesome. What I would do, is follow my guide in this tutorial about getting a personal certificate on the windows 7 computer. You can probably use the same certificate for your cameraâŚif it doesnât support a personal certificate youâd have to use a computer certificate but that goes beyond the content of this tutorial 
Rene
Hi Rene.
Can you list all type of hardware and software that you use to do this tutorial ??
You donât need much:
- Windows Server 2008 R2 (just run it in vmware workstation or virtualbox)
- Windows 7 Client with wireless adapter.
- A wireless access point that supports WPA(2)-Enterprise.
Can i configure a peap authentication without installing certificate server ??
Hi Rene, I am trying to do this setup at my work and am having issues. we have a server for each⌠for instance cert server (deal with certificates) , DHCP server ( has NPS installed) , DNS server, WLC. , DC (AD).
I followed all of your instructions⌠and I am trying to connect a laptop that is not on the domain so I followed your instruction on exporting the cert from the NPS server to my windows 7 laptop. and I followed all configures same as youâŚ
but when I add my ssid to the windows 7 and all the same setting as you sugguested for connecting PEAP⌠I get to the point where it prompts me for user name and password⌠and I input that it seems like it never gets authenticated⌠even tho I supplied it with the correct user name and password⌠that username and password box keeps popping up and asking me to input the information over and over again⌠any idea what I am doing wrong ? or where I should look for to troubleshoot this ?
Thanks.
Yes and clients can even choose to ignore a server certificate. If you do it this way then you still have username/password authentication and the advantage of per-session encryption keys but the downside is that itâs possible for attackers to spoof the RADIUS server.
Hi Ken,
You should first look at the event viewer, especially the security section. I would start at the NPS server because it will tell you why clients have been permitted or denied, and if deniedâŚit will show you the reason.
Rene
Hi Rene.
Thanks for the reply⌠I checked the event viewer under security and also under the NPS roles in event viewer and It does not show anything denied or permittedâŚno errors as well. its strange that It did not log my login attempts, any idea why it does not log my login attempts ?