Friday, October 7, 2011

802.1x, PEAP, NPS, Wildcard Certificates, and You.

I recently had an issue involving wireless clients authenticating against our RADIUS server, which is a Windows Server 2008 R2 box running the NPS role. The certificate that we were using to secure PEAP was expiring and we needed a new one. We have a DigiCert wildcard plus that allows unlimited duplicates and unlimited server installs. Sweet, right? I thought so too. So, I requested a duplicate for our NPS server and verified that it met all of the requirements here. Check, and check. Install the certificate, test on my MacBook: everything looks good. Test on my iPad: looks good. Test on my Android phone: yep. Test on a Windows 7 laptop: won't authenticate.


This is where it gets frustrating. I did a few traces and sorted through some logs and saw various EAP_TLS failures on both the client and the server. No idea why, so after a day I opened a ticket with Microsoft support. The first few support engineers were helpless, but I finally got someone from the PKI team at Microsoft who told me that the Subject field of the certificate must be the FQDN of the server. Since we are using a wildcard, the Subject field is *.ourdomain.edu. This should still be valid, and every other OS that we tested accepted it, but not Windows.

We ended up replacing the certificate with a single server SSL certificate that also met all of the requirements listed, and things work fine. I received an email from the support engineer on the PKI team the following day that said that in his testing, wildcards in the Subject field do work, and he has no idea why our certificate didn't work, but that they have had many problems with 3rd party wildcards in the past with PEAP. So, buyer beware! PEAP doesn't always play nice with wildcard certificates and Microsoft support doesn't know why.

3 comments:

  1. We've found some of the wildcard SSL providers have an intermediary cert that must also be added to the server certificate store before the chain is valid. RapidSSL is one that I have this experience with.

    ReplyDelete
  2. Thanks for the write up.

    ReplyDelete
  3. Thank You, have the exact same problem with a 2012r2 server!

    ReplyDelete