Home Knowledge Base SecureW2 Documentation Integrating EAP-TLS Authentication With Microsoft NPS

Integrating EAP-TLS Authentication With Microsoft NPS

Introduction

802.1X and EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) together provide secure authentication. Client devices (RADIUS supplicants) and a RADIUS authentication server validate each other’s identities by authenticating the signatures on the device and server certificates they exchange.

This authentication method uses a RADIUS server that interfaces with an external LDAP database. It also necessitates a system for installing certificates on the server and all supplicants, which may be accomplished using Windows NPS (Network Policy Server) and a GPO (Group Policy Object) to issue computer certificates, as well as an 802.1X SSID client setup for wireless access authorization.

In this article, we explore the complexities of integrating EAP-TLS authentication with Microsoft Network Policy Server (NPS) and highlight their cooperation. Understanding and deploying EAP-TLS with NPS is critical for strengthening your network security and protecting data and access.

Integration Process Overview

  1. Configure the WPA2-Enterprise network to authenticate using 802.1x certificates.
  2. Connect the Microsoft NPS RADIUS to the secure network:
    1. The RADIUS server will authenticate and authorize users for network access by verifying their identities with the core provider.
  3. Connect the PKI and download and install the Certificate Authorities (CA):
    1. Connect the Root and Intermediate CA’s to the RADIUS and secure network. As users enroll for network access, they will be issued certificates from the connected CA.

To complete this setup, you will need to have configured:

  1. A SecureW2 Network Profile.
  2. A Microsoft NPS RADIUS Server.
  3. A Core Provider.

What is EAP-TLS Authentication?

EAP-TLS stands for Extensible Authentication Protocol-Transport Layer Security. While the name is undoubtedly a mouthful, EAP-TLS is designed to improve network security through digital authentication. EAP-TLS secures your network by allowing only authorized users to access company data, resources, and applications.

EAP-TLS supports X.509 digital authentication certificates, which are more secure than passwords. These digital authentication certificates can be used by businesses to enable single sign-on (SSO) across VPNs or other network devices.

How Does EAP-TLS Work?

As previously stated, EAP-TLS is a certificate-based mutual authentication method, meaning certificates are required by both the client and the server for effective authentication. Once those certificates are found, EAP-TLS will generate session-based keys on each side to complete the login.

The steps are as follows:

  1. A user seeks network access control via a wireless access point (AP) or authenticator app.
  2. The AP inquires about the user’s identification. When the AP receives user information, it sends it to an authentication server.
  3. The RADIUS authentication server requests identification verification from the AP.
  4. The AP obtains validation and transmits it to the RADIUS authentication server.
  5. The user connects directly to the network.

How Secure is EAP-TLS?

Because of the mutual authentication requirement between clients and the RADIUS server, EAP-TLS is an especially effective means of safeguarding 802.1X networks.

Overall, EAP-TLS minimizes the probability of cybercriminal activities, particularly man-in-the-middle attacks. In those attacks, scammers spoof and authenticate to bogus authorization access points, enabling them to rapidly steal victims’ credentials. Over-the-air attacks are almost impossible since mutual authentication requires users to verify their identities.

Configure the Secure Network for 802.1x Certificates

To configure a secure network for 802.1x certificates, a solid basis for user authentication, authorization, and accounting must be established. This process guarantees a secure and efficient network environment by leveraging the complexities of certificate-based authentication.

In this section, we’ll explain how you can start configuring EAP-TLS on your Microsoft NPS (Network Policy Server) operating systems. We’ll also walk through how to ensure you no longer use insecure authentication methods on NPS to ensure greater network access protection.

  1. Go to Windows > Run > MMC > OK.
  2. In the Console, navigate to File > Add/Remove Snap-in.
  3. In the Add/Remove Snap-ins window, select Network Policy Server from the Available snap-ins, and click Add.
  4. In the Select Computer window, select Local Computer, and click OK.
  5. In the Add/Remove Snap-ins window, click OK.
  6. In the Console, navigate to NPS (Local) > Policies > Network Policies.
  7. In the Actions pane on the right, click New under Network Policies, and the New Network Policy wizard will appear.
  8. In the Specify Network Policy Name and Connection Type page, enter the Policy Name and click Next.
  9. In the Specify Conditions page, click Add, and the Select condition page appears.
  10. Select NAS Port Type, and click Add, and the NAS Port Type window appears.
  11. From the Common 802.1X connection tunnel types section, select Wireless – IEEE 802.1, and click OK:
    1. The condition gets added to the Specify Conditions page.
  12. Click Next, and the Configure Authentication Methods window appears.
  13. Under EAP Types, click Add, and the Add EAP window appears.
  14. Select Microsoft Smart Card or other certificate, and click OK.
  15. De-select all other check boxes under Less secure authentication methods, then click Next.
  16. In the Configure Constraints window, click Next.
  17. In the Configure Settings window, click Next.
  18. In the Completing New Network Policy window, click Finish.

Connecting the Microsoft Network Policy Server RADIUS Client

The link between the Microsoft NPS (Network Policy Server) RADIUS client and the larger network environment is crucial to maintaining strong authentication and network access control. In this section, we’ll walk you through connecting RADIUS clients to your Microsoft NPS (Network Policy Server) operating systems.

  1. Go to Windows > Run > MMC > OK.
  2. In the Console, navigate to NPS (Local) > RADIUS Clients and Servers > RADIUS Clients.
  3. In the Actions pane on the right, click New RADIUS Clients, and the New RADIUS Client window appears.
  4. Enter a Name and the IP address in the Friendly name and Address (IP or DNS) fields, respectively.
  5. Enter the shared secret in the Shared secret and Confirm shared secret fields, and click OK.

Downloading the Root and Intermediate CA from SecureW2

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Dynamic PKI > Certificate Authorities.
  3. Download both the Root and Intermediate CAs for the organization.Downloading Certificate Authority from JoinNow

Installing the Root and Intermediate Certificates

  1. Go to your server where you want to install the certificates.
  2. Open Windows > Run > CMD > OK, then go to the folder where yousaved your certificates.
  3. To install the certificates, run the following command consecutively for both certificates: 
    Certutil -dspublish -f "C:Training Videos Device Intermediate CA.cer"

Move Past On-Premise NPS Windows Server Solutions to Cloud-Based & Passwordless RADIUS Servers

NPS can be used for passwordless authentication, but its on-prem architecture requires duplication at each location, which adds to the cost of organization-wide adoption. Organizations striving for cost-effectiveness and scalability must overcome the bind to on-premise technology. This is where Cloud RADIUS from SecureW2 proves to be a strong solution.

In addition to enabling certificate-based RADIUS authentication, cloud RADIUS eliminates the need to duplicate on-premises network infrastructure. Organizations can achieve the required passwordless security by avoiding the high costs associated with extensive on-premises duplication.

Moreover, Cloud RADIUS ensures seamless integration with existing infrastructure, offering a simple transition for enterprises seeking improved authentication capabilities. However, we also provide an alternative with our vendor-neutral managed PKI for users not ready to go straight to Cloud RADIUS. It easily integrates with NPS, offering businesses an adaptable option to improve existing authentication procedures and prepare for a future move to a passwordless, cloud-based platform.

Contact us to learn how SecureW2 might help your organization’s security system improve the security of its network infrastructure with certificate-driven security.

Microsoft NPS is either a registered trademark or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks, logos, and service marks used in this site are the property of SecureW2 or other third parties.

More Microsoft Entra ID Explainers