Score:0

NPS Radius Configuration EAP-Ms-Chapv2

cn flag

I'm tryng to fix my Microsoft Server 2016 Network Policy Server configuration as radius server, with PEAP-MSChapv2.

As well known some modern devices are not able to "not validate" server certificate because this is option is too weak and had been disabled (for example some android 11 devices)

For what I know there should be the solution to add a internal CA certificate, to these (non domain) devices so that they can authenticate the nps server certificate (and avoiding manage client certificates).

I've found the nps server certificate issued by, a Internal CA and the certificate of this internal ca is self signed (issued by itself). Ive tried to export the ca cert (without private key) , and import it in in the devices, but for now, whitout success I've received error 22 : Eap type cannot be processed by server or error 265: the certificate chain was issued by an auuthority not trusted

Not clear if I've obtained 265 only when I've changed the field domain, on the client, to only the domain of the FQDN in cn name of the nps server certificate.

How can I implement correctly this (PEAP-MSchapv2 with server authentication on non domain client)?

Note: Now It works fine, for "old" wireless clients: They correctly athenticates as AD users, and gain network access, so I desire to correct the settings only for these newer devices not changing radically it.

in flag
Please don't add `solved` to the title of your question. To mark the question as solved, just accept your answer when you are allowd to do it.
Score:0
cn flag

Well I've solved the problem:

My particular Android 11 Version appear bugged, so the configuration of WPA-E with nps on w.server 2016 (PEAP-MS-Chapv2) authenticating the server need a particular attention:

you have to configure the connection before installing the CA certificate (in our case it's a peap with machapv2), and the domain part is important (example: if the server certificate is radius.mycompany.com, you must fill that field as mycompany.com, or else it will never succeed), and leave the CA certificate option as "use system certificates". Also fill username and password, and every other parameter except the CA as per the sysadmin instructions. After saving, it will fail but that is to be expected at this point. Then you must turn off wifi, because vanilla android 11 has a bug where it will erase the CA otherwise, and only then import the CA in encryption settings as a wifi CA. After that, still with wifi off, go to the saved connections, click on the connection, edit it (pencil icon on top right) and change the CA certificate option to match your company's CA that you just imported. Only then turn on wifi and it should work.

Mattia Lancieri avatar
cn flag
Worked for me, thanks
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.