Creating a Certificate for the RADIUS Server to Present to the Client Machine

  1. If you plan on using SCEP to issue certificates, complete the following steps:

    1. In the Certificate Authority window, right-click Certificate Templates, and choose New > Certificate Template to Issue.

    2. Select your mobile device template, e.g., "AppleEnroll", and the click OK.
      The new template is now available and the SCEP service must be made aware of it by changing a registry setting.

    3. Click the Start menu, click Search, and type "Regedit" in the search field.
      The Registry Editor window will open.

      Important: Use caution when editing the settings in the Registry Editor.

    4. Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Cryptography.

    5. Click the MSCEP key.

    6. In the Data column, change the following three keys to the name of the template that you created: EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate.

    7. Create a new key within the MSCEP key named "PasswordMax".

    8. Create a new DWORD (32-bit) Value within the PasswordMax key.

    9. Enter “PasswordMax” in the Name field for the new DWORD.

    10. Double-click the DWORD entry to open the Edit DWORD (32-bit) Value dialog.

    11. In the Value data field, enter a value that is high enough to accommodate the number of enrolled devices in your environment.

      Note: The default number of cached passwords is five. Passwords are cached for up to 60 minutes or until they are used.

    12. In the Base options area, select Decimal.

    13. Click OK.

    14. Close the Registry Editor window.

    15. Click Start, and select Server Manager.

    16. Click IIS, right-click IIS Admin Service in the Services list, and then choose Restart Services.

  2. Open Microsoft Management Console (MMC) on the server that will be hosting the RADIUS server.

  3. Select File > Add/Remove Snap-in.

  4. In the Available snap-ins list, click Certificates, and the click Add.

  5. In the Certificates snap-in window, select Computer Account, select Local Computer, and then click Finish.

  6. Expand the console sidebar to open the Certificates (Local Computer) > Personal > Certificates folder.

  7. Select the server certificate which has Client Authentication, Server Authentication in the Intended Purposes column.

    Important: Make note of the certificate's name. You will need it later when configuring the PEAP or TLS authentication method.

  8. Open Start > Windows Administrative Tools > Network Policy Server.

  9. In the console sidebar, expand RADIUS Clients and Servers, and then click RADIUS Clients.

  10. In the RADIUS Clients pane, right-click either the wireless or wired RADIUS client, select Properties, and then configure the following settings for the access points:

    • Friendly Name—This can be anything, but you should have one friendly name for the wireless and another friendly name for the wired.

    • IP Address—This will be the IP address of the access point or the wired switch.

    • Device Manufacturer—This should correspond to the wireless and wired devices you are using to support 802.1X.

    • Shared Secret—Select the Manual option at the bottom of the Shared Secret area, and then enter the password that you set on the access point or the wired switch.

  11. In the console sidebar, expand Policies under the “NPS (Local)” item, right-click on Network Policies, and choose New.

  12. When prompted, enter a name in the Policy name field.

  13. Ensure the Type of network access server is set to “Unspecified”.

  14. Click Next.

  15. In the Specify Condition window, click Add to add a condition.

  16. Select the conditions as needed for your environment. Consider the following commonly used values for each setting:

    • NAS Port Type—Set to Wireless – Other or Wireless – IEEE 802.11.

    • Authentication Type—Set to EAP.

  17. Click Next.

  18. In the Specify Access Permission window, select one of the following options as needed for your environment:

    • Access Granted

    • Access Denied

    • Access is determined by user dial-in properties

  19. Click Next.

  20. In the Configure Authentication Methods window, click Add.

  21. To configure the PEAP authentication method, do the following:

    1. Select Microsoft: Protected EAP (PEAP), and click OK.

    2. Select Microsoft: Protected EAP (PEAP), and click Edit to open the Properties window.

    3. Click the Certificate issued to pop-up menu, and choose the name of the certificate you noted earlier.

    4. Select the Enable Fast Reconnect checkbox.

    5. In the EAP Types field, select Secured password (EAP-MSCHAP v2).

      Note: It is possible to use a certificate as the EAP Type within PEAP, but this results in a hybrid form of 802.1X, a mix of PEAP and EAP-TLS.

    6. Click OK.

  22. To configure the TLS authentication method, do the following:

    1. Select Microsoft: Smart Card or other certificate, and click OK.

    2. Select Microsoft: Smart Card or other certificate, and click Edit to open the Properties window. This type is known as EAP-TLS.

    3. Click the Certificate issued to pop-up menu, and choose the name of the certificate you noted earlier.

    4. Click OK.

  23. Deselect all the checkboxes under Less secure authentication methods.

  24. Click Next.

  25. (Optional) In the Configure Constraints window, configure additional parameters.

  26. Click Next.

  27. (Optional) In the Configure Settings window, configure additional settings.

  28. Click Next.

  29. Review your settings in the summary window.

  30. Click Finish.

The environment needed to run basic PEAP and EAP-TLS 802.1X authentication should now be complete. To continuing setting up 802.1X authentication with Jamf Pro, see the following sections of this guide.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.