Looking for assistance with NPS cert based Wifi for Macs and PCs
So we have a somewhat unique situation that I am trying to figure out any solution that works.. We are currently using Meraki hardware for our wireless system and we have a directive from management to work to integrate out various systems so that we can deploy a company-wide wireless network(s) that used cert based authentication instead of the current username/password that times out every couple weeks. For further context, we have windows based servers with a local AD domain synced to Office 365. We are also using one of our DCs as a CA, but it is not being used for anything. We have several NPS servers setup and we can get our windows, domain joined machines to work fairly well on the Meraki System. The problem comes in with our Mac users. Our AD domain was setup moons ago when using a .int TLD for the domain name along with other best practice issues that would be too disruptive to properly fix. As of now, we can't get our Mac machines to properly authenticate or trust the Wi-Fi networks when we use the NPS profiles/certs. We did recently get invested in a PKI system through digicert that we are currently using for our Client VPN and have been trying to use auto-enrolled certs from that, but similarly to no avail. The final nail in the coffin is that we are under a budget crunch, so investing in something like JumpCloud or some other online hosted RADIUS service is not happening anytime soon. I have looked at the documentation for Setting up 802.1x and we can do user authentication fairly well, but we have been instructed to get machine/certificate based authentication working. Long story short, what I am hoping to find is an article or video or something that discusses setting up windows NPS to interact with Meraki SSIDs so that both domain joined PCs and non-domain joined Macs can use one or more SSIDs to do cert based authentication.
Strange root certificate on all websites
Hello, I have inherited administration Windows Server 2019 which serves as terminal server. Few days ago I noticed some strange certificate, which is stated as certificate issuer on almost all websites. You can see certificate details and certificate hierarchy for site amazon.sk. When I open amazon website on my computer, the certificate issuer is "DigiCert Global Root G2". However, there are some exceptions such as google.com which has the correct "GTS Root R1" certificate issuer. I have also found this strange certificate in certificate manager under trusted root certification authorities. When I disable this certificate the warning "Your connection is not private" appears on all site using this certificate. I have not encountered something like this before and I didn't find any relevant posts on internet. I suppose that this certificate was created by former admin of this server but I am also concerned whether it isn't some security breach. Do anyone have a clue what can cause this weird problem? Thank you in advance.
Radius certificate question
I have set-up a NPS Radius server. I want to manually do an export of a certificate, and import it on a private laptop of an employee to get rid of the warning of an untrusted connection. This is what I have done: - On another server than my DC I installed AD CA, and gave it the name for example “Test CA” - Made a copy of the RAS and IAS server template and name it 'Radius template' - Then I published the template with ‘certificate template to isue’ - On my domain controller where NPS is installed, I see that in the ‘trusted root certification authorities’ the certificate “Test CA” is present. - Still on my DC, in the ‘personal certificate folder’ I created a new certificate based on the template (Radius template) and I see the a certificate on my DC with the name ‘dcname.domain.be’. This is issued by ‘Test CA’ and has server authentication and client authentication. - On my NPS server, in ‘network policies’ I changed the PEAP authentication method to use the created certificate (dcname.domain.be). - I exported the Root certificate “Test CA” and imported that on another, non-domain joined laptop (in the ‘trusted root certification authorities’ folder). If I try to connect to the WiFi netwerk, I still get a warning that the connection is not trusted. On my smartphone the same problem. If I ignore the warning, everything works. I know you can have a public CA certificate, but my local domain is .local. First I want to solve the above.
My pki AD infrastructure is in error state or borked, please help! Can't submit a certificate reques
Hello. I have a problem. The root and subordinate certificate authorities had problems some years back. So we re-created a new root CA, however, it was named the same as the ORIGINAL root ca. Then made up and commissioned a new subordinate CA, This sub did NOT share the same name as the old one. The *new* root CA is not on the domain and it's powered off all the time, according to best practice. It's only job is to authenticate the *new* subordinate CA, which does all the cert work. By the way I can't seem to see any certificate authority or PKI information when I use ASDI to look at my schema. I can only see it using AD sites and services, service node, and Public Key Services. When I run pkiview . m sc on my subordinate, i gets red x on both the root and sub. Looking at the root, there's an "Error" listing the subordinate CA. The AIA location 1 and 2 and CDP Location all show as Unable to Download, even after I power up the root ca computer. The listing it's trying to pull LOOKS ok to me, but not sure why it won't react if the machine is up. Except perhaps the root ca is not joined to the domain? Anyway I think I have to sort out my pkiview being unhappy before my REAL problems which are these. The *old* root CA which expired in 2018, is present on ALL my domain joined machines, because it was IN the pki architecture back when it was made. the *new* root ca is nowhere to be found, and must be manually cert loaded into trusted root authority on any machine that I want it to go on. To be honest I'm not sure what certs are working where if everyone only knows about the *old* root ca and not the new one, same name.\ My problem that revealed all this, I'm trying to request a certificate on my subordinate CA, and it will not even let me try to paste in a CSR, as it gives me the error - "No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory" Can you help me untangle this mess? Advice appreciated, thank you!
SSL certificate for email
My SSL certificate for email on my 2012 r2 exchange server expired. I went to GoDaddy and installed the new valid certificate but now I have both the old expired cert and the new valid cert. Now when I try to create a new email account and migrate it to 365 from my on-premise server (hybrid environment) it errors and says the certificate is invalid. Can I remove the expired certificate? Or is there a different way for the exchange console to recognize the new valid cert instead of the old expired one? I just don't want there to be issues if I remove the old certificate.
