Hey everyone! I'm working on setting up RADIUS authentication for our Onnie staff WiFi and I want to use certificates to achieve this. We have started pushing the certificates via Group Policy Objects (GPOs). I have a couple of questions about the process, especially regarding the RADIUS handshake.
Right now, two of our computers are receiving the GPO settings and they're recognizing our new Certificate Authority (CA) server as trusted. However, they're not showing any personal certificates. I initially thought that the GPO would automatically push a device-specific certificate to each computer, but I'm starting to doubt this assumption.
Should I expect to see a certificate that is specific to each computer from the server? Also, if anyone has links to detailed write-ups or videos explaining how RADIUS authentication with certificates works, that would be super helpful!
3 Answers
I think the confusion often comes from not fully grasping the certificate enrollment process. Once you set up everything correctly, the certificates should populate on the devices as expected. Also, double-check your auto-enrollment GPO settings to ensure they're applying correctly!
First off, yes, you should indeed see a device-specific certificate from the server. Make sure you’ve enabled the GPO for auto-enrollment and that you have your computer authentication certificate template set up correctly with permissions for authenticated users to enroll.
To check the certificates, you should use certlm.msc instead of certmgr.msc. This will show the machine's certificates. They should show up with the full machine domain hostname as the certificate name.
Also, you’d want to ensure that the client authentication is configured correctly in the certificate template. For additional usage down the road, it’s a good idea to include both 'client' and 'server' authentication in the template settings. That way, the certificates will be useful for remote access too.
If you're still looking for resources, I came across a handy link about setting this up. Also, instead of running 'gpupdate /force', a helpful tip is to run 'gpupdate' followed by 'certutil -pulse' to grab the certificates immediately!
Glad the link helped! And to answer your query, for machine authentication right now, it shouldn't be necessary to connect it to user accounts just yet. You can focus on getting the machines authenticated with their certificates first.
Yeah, definitely ensure your certificate template is created and published correctly with permissions set for AD computer accounts. If everything is confirmed on the backend, you should see specific certificates on each device when they enroll properly.
And just a little note: I totally agree with you about videos! Reading the theory is usually quicker than watching a long video for the same info.
Thanks for the info! Just to clarify, we have set up a new CA server specifically for 802.1x, and we've enabled auto enrollment. The changes seem to be applying to the device on which the GPO was pushed. But do we need to connect it to user accounts at this stage if we only want to authenticate machines right now? We were thinking of handling user authentication with AD logins later. I think I may be misunderstanding some parts of this process.