Hey folks! We're rolling out a RADIUS solution on Windows Server (NPS) with AD integration for secure Wi-Fi access. Our biggest hurdle is handling unmanaged devices, especially employee smartphones that aren't on our domain or enrolled in MDM. When they connect to our secure SSID with their AD credentials, they get a certificate warning because the NPS server's certificate is signed by our internal CA, which these personal devices don't trust.
I've got a couple of key questions: 1. Can we purchase a publicly trusted SSL certificate (like from DigiCert or Sectigo) to install on the NPS server to fix the trust issue? Would that prevent the certificate warning for unmanaged devices using PEAP? 2. Does our RADIUS server need to be publicly accessible for this public certificate to work? We're really against exposing NPS/RADIUS to the internet; it's strictly for internal WLAN authentication.
We're aiming to authenticate users with their AD credentials via 802.1X (PEAP/MSCHAPv2) without having to maintain shared Wi-Fi passwords, while ensuring every connection ties back to a specific AD user for auditing purposes. Also, avoiding certificate warnings would be great. Has anyone navigated something similar, especially in BYOD environments? Is using a public certificate on NPS the way to go? Thanks in advance for your help!
1 Answer
Yes, buying a publicly trusted SSL certificate for RADIUS is definitely a good move. You can assign the same certificate to multiple NPS servers. Just create a publicly recognized SSL for a subdomain like radius.yourdomain.com, install it on your NPS servers, and configure them to use that in the NPS policies. And don’t worry—the NPS server doesn’t need to be publicly accessible, so your internal security is intact! Just remember to schedule a reminder for renewing the certificate.
I wonder if you can set up something like the Let's Encrypt app to auto-manage and rotate the cert that NPS uses.