Thursday, September 16, 2021

EAP-TLS 802.1x auth and NPS on Windows Server

Hopefully this is the right subreddit for this question. I'm trying to get my head around how EAP-TLS works, specifically in relation to its integration with Windows AD. I have a Windows enterprise CA issuing certs to domain-joined Windows machines which works great to authenticate them using 802.1x auth on my UniFi and Aruba APs, using NPS on Windows Server 2016 as the RADIUS server.

What I don't understand is how NPS ties the certificate to the AD machine account, or what else is going on in the 802.1x process which controls how NPS sees the machine identity.

Specifically, what I'm troubleshooting right now is a wacky race condition where we're provisioning new Win 10 machines with Azure Autopilot and Endpoint Manager (Intune). I'm issuing certs to the machines via SCEP/NDES, and the certs issued during the Autopilot provisioning process don't work.

What happens is the Win 10 machine enrols for a certificate (via SCEP) with its default device name ("DESKTOP-XXXXXXX"), but during the Autopilot hybrid domain join process it gets renamed. If it tries to auth to the WiFi with the cert issued by SCEP, it fails and NPS logs "The specified user account does not exist". If I delete the cert, the machine gets a new one via SCEP, which then works just the same as if the machine had enrolled directly against the CA with an internal connection.

I have the cert profile set up to use "CN=" as the subject name (i.e. a big long string with no relation to any on-prem AD field that I know of). In the SCEP profile I also have a subject alternative name with the DNS attribute set to ".[my on prem ad domain].local". This is the attribute that differs between the certs that don't work and those that do.

So what is NPS doing/seeing that makes it determine if the user (machine account) exists or not? Is it literally just looking at the SAN on the cert and matching the name to accounts in AD? Or is there an AD credential exchange in addition to the TLS cert-based mutual auth between the EAP supplicant and NPS?

Further to trying to solve this specific problem, I feel like if I can get a handle on how this process really works, I should be able to figure out how to configure cert-based auth for non domain-joined devices, like Android phones (cert pushed out via SCEP), and Yealink desk phones. Is kerberos delegation required for this to work?



No comments:

Post a Comment