Radius certificate question

%3CLINGO-SUB%20id%3D%22lingo-sub-2379242%22%20slang%3D%22en-US%22%3ERadius%20certificate%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2379242%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20have%20set-up%20a%20NPS%20Radius%20server.%20I%20want%20to%20manually%20do%20an%20export%20of%20a%20certificate%2C%20and%20import%20it%20on%20a%20private%20laptop%20of%20an%20employee%20to%20get%20rid%20of%20the%20warning%20of%20an%20untrusted%20connection.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EThis%20is%20what%20I%20have%20done%3A%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E-%20On%20another%20server%20than%20my%20DC%20I%20installed%20AD%20CA%2C%20and%20gave%20it%20the%20name%20for%20example%20%E2%80%9CTest%20CA%E2%80%9D%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E-%20Made%20a%20copy%20of%20the%20RAS%20and%20IAS%20server%20template%20and%20name%20it%20'Radius%20template'%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E-%20Then%20I%20published%20the%20template%20with%20%E2%80%98certificate%20template%20to%20isue%E2%80%99%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E-%20On%20my%20domain%20controller%20where%20NPS%20is%20installed%2C%20I%20see%20that%20in%20the%20%E2%80%98trusted%20root%20certification%20authorities%E2%80%99%20the%20certificate%20%E2%80%9CTest%20CA%E2%80%9D%20is%20present.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E-%20Still%20on%20my%20DC%2C%20in%20the%20%E2%80%98personal%20certificate%20folder%E2%80%99%20I%20created%20a%20new%20certificate%20based%20on%20the%20template%20(Radius%20template)%20and%20I%20see%20the%20a%20certificate%20on%20my%20DC%20with%20the%20name%20%E2%80%98dcname.domain.be%E2%80%99.%20This%20is%20issued%20by%20%E2%80%98Test%20CA%E2%80%99%20and%20has%20server%20authentication%20and%20client%20authentication.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E-%20On%20my%20NPS%20server%2C%20in%20%E2%80%98network%20policies%E2%80%99%20I%20changed%20the%20PEAP%20authentication%20method%20to%20use%20the%20created%20certificate%20(dcname.domain.be).%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E-%20I%20exported%20the%20Root%20certificate%20%E2%80%9CTest%20CA%E2%80%9D%20and%20imported%20that%20on%20another%2C%20non-domain%20joined%20laptop%20(in%20the%20%E2%80%98trusted%20root%20certification%20authorities%E2%80%99%20folder).%20If%20I%20try%20to%20connect%20to%20the%20WiFi%20netwerk%2C%20I%20still%20get%20a%20warning%20that%20the%20connection%20is%20not%20trusted.%20On%20my%20smartphone%20the%20same%20problem.%20If%20I%20ignore%20the%20warning%2C%20everything%20works.%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%20know%20you%20can%20have%20a%20public%20CA%20certificate%2C%20but%20my%20local%20domain%20is%20.local.%20First%20I%20want%20to%20solve%20the%20above.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2379242%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ecertificates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Entp%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eradius%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Frequent Visitor

I have set-up a NPS Radius server. I want to manually do an export of a certificate, and import it on a private laptop of an employee to get rid of the warning of an untrusted connection.

This is what I have done:

- On another server than my DC I installed AD CA, and gave it the name for example “Test CA”

- Made a copy of the RAS and IAS server template and name it 'Radius template'

- Then I published the template with ‘certificate template to isue’

- On my domain controller where NPS is installed, I see that in the ‘trusted root certification authorities’ the certificate “Test CA” is present.

- Still on my DC, in the ‘personal certificate folder’ I created a new certificate based on the template (Radius template) and I see the a certificate on my DC with the name ‘dcname.domain.be’. This is issued by ‘Test CA’ and has server authentication and client authentication.

- On my NPS server, in ‘network policies’ I changed the PEAP authentication method to use the created certificate (dcname.domain.be).

- I exported the Root certificate “Test CA” and imported that on another, non-domain joined laptop (in the ‘trusted root certification authorities’ folder). If I try to connect to the WiFi netwerk, I still get a warning that the connection is not trusted. On my smartphone the same problem. If I ignore the warning, everything works.

I know you can have a public CA certificate, but my local domain is .local. First I want to solve the above.

0 Replies