802.1x setup, what should I know?
Posted by ittthelp@reddit | sysadmin | View on Reddit | 19 comments
I'm looking into setting up 802.1x authentication for our laptops. I'm planning on using AD CS for the certs, NPS for auth, and group policy to deploy the certs (all on prem, no Entra or anything yet).
I'm planning on following this video to set up AD CS and NPS. At this point in the video he adds his AP as a RADIUS client, do I really need to set all of our AP's up with static IP's and add them here? They're Aruba AP-615's managed with the virtual controller on the AP's if it matters.
What do you all set your validity period to for your certs? Is a year too long? If a machine is off site and their cert expires, I'm guessing they'll need to plug into an ethernet port and their machine will grab a new cert that'll let them connect to wifi?
Any other things I should consider/know about? Any caveats to using 802.1x?
CyberWhizKid@reddit
2 years. Yes, enable auto enrollment. Use a CNAME for your CRL.
ittthelp@reddit (OP)
That's something I hadn't come across yet... Would you mind explaining this a bit? This MSFT doc says you need to set up CAPolicy.inf before installing AD CS but the video doesn't do that, do you know if this is required?
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj125370(v=ws.11)#plan-configuration-of-capolicyinf
Ty for the help!
CyberWhizKid@reddit
When setting up a certificate authority (windows or anything else), using a web server with a CNAME is recommended for flexibility and easier management. A CNAME allows you to change the actual web server hosting the CRL or certificate services without modifying client configurations, simplifying maintenance. It also enhances availability by allowing redirection to backup servers if needed, ensuring consistent access to revocation list.
CRL is the thing that you will need if a certificate is compromised ;) this is why you can setup your expiration date to 2 years, you just need to revoke it if it gets compromised !
ittthelp@reddit (OP)
Ty for all the info, I appreciate it! I've done some research but am still a bit confused. So you set up a CRL after installing ADCS? Does it need to be set up right away or can it be set up after testing the radius/nps/adcs setup to make sure it works? We don't have an internal web server so could I use IIS express on a separate VM than the server ADCS is on? And create a CNAME pointing to crl.domain.com or whatever? Does the CRL automatically update when you revoke a cert in ADCS or something?
AlligatorFarts@reddit
It's actually recommended to not use static IPs for Access Points. RADIUS is very robust and it will not matter if the IPs change, as long as you've whitelisted the subnet your DHCP server serves those APs. Set the DHCP lease length to 1 month and you'll be fine.
In group policy, you can set the certificate autoenrollment settings to renew whenever you'd like. I might suggest changing the renewal time to give a large enough grace period where they may still be able to autorenew even if they were offsite for a few weeks.
ittthelp@reddit (OP)
Thanks, that's what I was thinking.
You mean enter like 10.10.10.0/24 in the address section here? Screenshot of the section I'm talking about. We have some other PC's/servers in the AP subnet, but that shouldn't matter because those devices would have to be configured to point at the NPS server to allow anything to authenticate (assuming any of the other non AP devices can hand out addresses using RADIUS), right?
How long do you set your certs to be valid for? Would 6 months be too long? I'm not sure what's standard.
AlligatorFarts@reddit
Clients being on the same subnet as the APs would impose a security risk for your radius authentication, since the whole subnet would be trusted to be a NAS. In the long term I'd recommend moving those clients off the subnet.
ittthelp@reddit (OP)
You mean any device in the subnet I whitelist for the AP's could potentially be set up to do radius authentication? Any device would need the shared secret created at around 10:10 in the video to allow clients to authenticate through it, right? I will move the AP's to a separate subnet, just want to make sure I understand.
Ty for the info!
AlligatorFarts@reddit
Radius is unencrypted by default, and uses MD5 encryption for user passwords which is easily broken with today's hardware. Allowing other clients on the subnet is not a good idea, as a packet sniffer would easily identify your radius authentication. With the recent exploit of blastradius, RadSec or Radius over TLS is recommended
ittthelp@reddit (OP)
Did you word something wrong here or am I misunderstanding something? Isn't EAP-TLS the authentication protocol and Radius (NPS) is the server that processes/allows the authentication?
I was planning on trying to get EAP-TLS working, I don't think we have any machines over 3ish years old so I'd think they'd work with it...
AlligatorFarts@reddit
You'd be correct, yes.
EAP-* is what authenticates the clients, radius is what authenticates the APs, and also relays the client authentication to the server. EAP-TLS relies on certificates, which are inherently secure, so there is not much worry about the security of your radius setup.
KindlyGetMeGiftCards@reddit
Some caveats, not all devices support 802.1x correctly, so be prepared to do lots of reading. If you lock down the wifi and people still need to use other devices on there, have a alternative, ie a guest wifi. If you are finding you are doing more exceptions and whitelisting then locking down, you may consider rethinking implementing it or changing vendors of hardware, because what is the point at that stage.
Lastly printers and 802.1x, sigh, get your reseller or vendor involved here but don't take their word on it, they aren't very technical, it's a minefield and a headache, so allow time to be spent on this and dealing with all the things.
Good luck, if you get it going it's great but it's just the big hurdle initially.
ittthelp@reddit (OP)
For now I'm just going to try it out on some windows laptops. Yeah we'll have a guest wifi network.
jstuart-tech@reddit
I wouldn't follow that video as it's only configuring PEAP, EAP-TLS is the preferred way these days IMO. EAP-TLS Configuration https://documentation.meraki.com/MR/Encryption_and_Authentication/Creating_a_Policy_in_NPS_to_support_EAP-TLS_authentication
You can set certificates to be able to be renewed earlier, 1 year validity with an 80% renewal period will renew at 41 weeks according to this article.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/approval-required-certificate-renewals-autoenrollment#recommended-values-of-validity-period-and-renewal-period
ittthelp@reddit (OP)
So the setup is mostly the same, just some different settings during the NPS setup?
Ty for the info!
streppelchen@reddit
if possible (and your environment supports it), use tpm backed private keys in the template that are not exportable.
This way noone will be able to grab a certificate and use it on a different machine.
TPM subversion <1.16 tends to be flaky, you need to disable ciphers for this to work, which causes other "fun" stuff (=problems) ( see https://directaccess.richardhicks.com/tag/reason-code-16/ )
Do a test-OU first to ensure not all users at once lose connectivity.
Ideally, have WPA-Enterprise and the devices joined there, so you already know they have certificates that are accepted, (plus you have a fallback to push through group policy updates where necessary)
For non-Windows endpoints 802.1x support differs wildly. If you want to reduce your headaches, put those in a separate vlan (e.g. Printers, IoT and stuff like that), else you'll start a neverending battle.
2 years certificate validity is fine, renew as early as 3 months before. (doesn't cost anything, doesn't hurt anyone, so why not)
ittthelp@reddit (OP)
It looks like the lowest TPM version any of our laptops has is 1.38, so that should be okay? Do you know of a guide on how to use TPM keys for .1x? I wasn't able to find anything in my quick search.
If I can't get TPM keys to work, is there a way to make certs created using the method in the video non exportable?
Yeah I'll definitely test with a single OU first. I'm just going to use this for windows laptops for now so I don't need to worry about any other devices.
G4rp@reddit
Sorry cannot help you but a huge kudo to your that your are implementing dot1x
ittthelp@reddit (OP)
Trying anyway haha