Wednesday, October 9, 2013

How to configure EAP-TLS

Far too many times have I come across a wireless environment where it has been said that the authentication method in use is none other than EAP-TLS. This is good as EAP-TLS is not only the most secure method but also the easiest method from a user perspective, a rare combination in this day and age. Still, when looking over the configuration, it appears that most environments are using PEAP-MSCHAP v2 which isn't EAP-TLS at all. How can this be? Perhaps because PEAP-MSCHAP v2 is default. So, how does one configure EAP-TLS, then?

There are a number of requirements for this particular authentication method. The most apparent one is an existing PKI environment. With that in place, it's time to move on to the Network Policy Server or RADIUS Server, if you will. The first step is to request a certificate from the CA Enterprise server based on the RAS and IAS Server certificate template. This one is important as this certificate will be used by the clients to not only secure the connection but also to identify the current wireless environment. Next step is to fire up the NPS console and configure EAP-TLS.

Using the standard configuration, select to configure a RADIUS server for 802.1X Wireless or Wired Connections.

In the following window, select Secure Wireless Connections and give it an appropriate name. The next step is to select a RADIUS client. This will be your preferred wireless access controller or the access point itself, it depends on the vendor. The only thing you'll need here is the IP Address of the device and the shared secret and you'll be all set. The next step in the wizard is to select the authentication method.

EAP-TLS is Microsoft Smart Card or other certificate and nothing else. Don't be fooled by the name, as it may be confusing. Select it and configure the previously requested certificate based on the RAS and IAS Server certificate template. Next, you'll have the option to limit devices or users based on group membership but this isn't required. Go ahead and finish the wizard using default values and move on to configure the details of this newly created network policy.

In the properties of the network policy, head on over to Constraints and remove all other less secure authentication methods.

Next step is to remove all encryption methods other than the strongest one in the Settings pane.

There you have it. Devices and users now have the option of using a certificate for identification when connecting to the wireless network. There are many more options to configure but this will suffice for a basic, secure wireless network using EAP-TLS. Enjoy!

No comments:

Post a Comment