I was unable to get a straight answer out of Microsoft, but all signs pointed to the certificate. I ended up purchasing a single domain SSL 2048-bit certificate that does Client and Server Authentication and installed it on the NPS server. Things returned to normal at this point.
Microsoft's implementation of PEAP/RADIUS/NPS apparently just doesn't play nice with Wildcard certificates, even though they don't list this constraint anywhere.
Edit:
After speaking with someone on the Microsoft PKI team, I was told that since our wildcard duplicates have a Subject Name of *.OurSchool.edu and not of the server, that the Windows clients will reject it when negotiating PEAP. The server is explicitly listed by FQDN in the Subject Alternative Name field of the certificate, but apparently that makes no difference.
The support engineer did confirm that there are issues with many wildcard certificates because of this. If you use a third party CA that will allow you to get duplicates of your wildcard with the Subject Name field of your NPS server and move the wildcard to the SAN, then it should work fine. We did not test this theory, so take it with a grain of salt.
When using 802.1x certificate-based authentication on Windows machines, should I use different certificate for each machine?
Yes, otherwise you may as well be using a shared passkey. Having a different certificate for each machine (or user) is how you prevent clients from being able to decrypt each others' traffic.
If I should, how do I distribute these certificates for hundreds of computers? Does this always require manual intervention?
Actually, the typical method is a GPO that assigns the machine a certificate signed by the internal certificate authority.
What you're looking for are the Computer Configuration
-> Windows Settings
-> Security Settings
-> Public Key Policies
section under Group Policy Management.
There is a fair bit of setup involved on your part, but once you get it running, it is relatively maintenance-free, and very automagical. I've attached a screenshot below of our certificate-related Group Policy settings to give you an idea of what's involved.
Notice the unexpanded Wireless Network (802.11) Policies
Group Policy settings; this is where I define the wireless network and set our wireless clients to auto-join it. I have a couple ADDS Certificate Authorities set up, and then made trusted by all machines in the Public Key Policies/Trusted Root Certification Authorities
. The certificate request is generated automatically, and clients are enrolled automatically, according the machine certificate template I've created (on our Certificate Authorities).
This setup does mean that computers have to connect to the domain and get their certificate before they can use the RADIUS-authenticated wireless network, but that's handled when the machine is initially imaged, and why there typically isn't a problem pushing certs out via Group Policy - to join the domain, you have to be able to connect to it, so a certificate can be created and assigned at that time.
Just as quick word of warning, be careful with those auto-enrollment settings (and test first), or you might end up like my dumb ass did, with hundreds of thousands of certificates you can't revoke, because you're issuing a new one on every logon and startup. (Oops!)
Best Answer
You can use
eapol_test
, which is part of thewpa_supplicant
package. You need to download the source code and compile it withmake eapol_test
(it's not built by default). It should work at least on Linux, Windows and Mac OS X (not advertised as much, but I could compile and use it on the latter).You create a configuration file (some examples here, but I could not find an overview of all options, I think
src/eap_peer/eap_config.h
contains some), and then run the tool:In all the output you should see the TLS certificate pass by, but you can also dump them to a file by passing the
-o
option:If you specify the
ca_cert
option in the configuration file, the program will also do a verification of the sent chain, and you see the verification result in the output of the program (not in the file with dumped certificates).Afterwards, you can also use the
rad_eap_test
wrapper, which returns a status output compatible with Nagios.