We’ll start by deploying our enterprise Certification Authority. In our example, we’ll install the service on our domain controller, but the process is identical if you’re installing on a stand-alone server that’s part of your domain. We’ll then configure certificate templates and choose the groups that are allowed to obtain and automatically enroll for the certificates. We’ll then obtain the CA certificate on the client computer and obtain the user’s certificate for authentication.

We’ll then move on to installing the RADIUS server and configuring it to accept authentication requests from our access points. We’ll then configure our access points to authenticate users against the RADIUS server and test authentication.

The welcome screen is a generic screen you’ll see whenever adding a role to the server. Simply choose Next at the welcome screen. On the next screen, check the box for Active Directory Certificate Services. You’ll notice that the column on the left side now indicates all the steps necessary to configure AD CS (see Figure 8-1). Click Next to continue.

The next screen is mostly informational, but it does include links to help topics for installing and managing Active Directory Certificate Services. Take the time to at least click the links and get an idea for the type of information that’s available to you from Windows Help. Click Next to continue.

In the next screen, you only need to check the box for Certification Authority. The other options are not necessary for our installation. If you highlight the other options, you’ll notice a description for each on the right side of the window.

In the next screen, you’ll see the two options for the different types of Certification Authorities we discussed in the previous chapter. You’ll also remember that we need to install an Enterprise Certification Authority to integrate with Active Directory and allow auto-enrollment. Select Enterprise and choose Next.

You’ll see the option to install a new root CA or a subordinate CA for an existing CA infrastructure. We’ll assume that you don’t have any Certification Authorities in your environment and install a root CA. Select the Root CA option and choose Next.

We’ll also assume you don’t have an existing private key. Therefore, in the next screen, select Create a New Private Key and choose Next.

In the next screen, shown in Figure 8-2, you’ll see the cryptographic options to generate the new private key, which will be used to sign all the generated certificates. The defaults here are acceptable, so you can choose Next to continue.

In the next screen, shown in Figure 8-3, you’ll see the options to name the Certification Authority, which will also show up in every certificate this CA generates. The defaults here should also be sufficient. Choose Next to continue.

In the next screen, you can configure the validity period of the certificate of the new Enterprise Certification Authority. Keep in mind that you won’t be able to issue any certificates past the time when the Certification Authority’s certificate expires. Therefore, I typically extend the period to ten years. Once you’ve entered the time period that’s sufficient for your network, choose Next.

The next screen, shown in Figure 8-4, gives you the option of changing the default certificate database and certificate database log locations. If you have a separate disk or partition you use for log files, you should select that location; otherwise, the defaults are sufficient. Click Next to continue.

The next screen, shown in Figure 8-5, gives you a summary of all the configuration options you chose during the installation. You should save this information whenever you add a role to your server, or you can even just take a Screenshot. You never know when it might be helpful, when you’re troubleshooting an issue, to quickly look back at the options you chose during installation. Save the information and then click Install to install the Certification Services.

Once the installation is complete, you’ll be presented with the results screen. All this should say is that the installation was successful. Click Close to exit out of the Add Roles Wizard.

Congratulations, you’ve now successfully installed Microsoft Certification Services and are ready to start deploying certificates. At this point, you can manually create and distribute certificates, but that is not our ultimate goal. Next, we’ll look at configuring certificate templates and configuring which users are allowed to automatically obtain certificates.

To configure the Group Policy Object, open Server Manager, expand Features, Group Policy Management, expand your forest (zion.loc, in our example), right-click the Wireless Organizational Unit, and choose “Create a GPO in this domain, and link it here.” Name the Group Policy Object something logical (in this example, we’ve named it WirelessCertAutoEnroll) and then click OK. Right-click the newly created Group Policy Object and choose Edit.

Double-click “Certificate Services Client – Auto-Enrollment” to configure the policy. You’ll want to use the settings shown in Figure 8-8. To enable auto-enrollment, change the Configuration Model setting to Enabled. Check all three boxes and then click OK to continue.

Next, double-click the “Certificate Services Client –Certificate Enrollment Policy” setting. Change the Configuration Model setting to Enabled and then click Apply. You’ll notice that the policy shows that auto-enrollment is enabled, as shown in Figure 8-9.

To configure the computer account to automatically obtain certificates, you configure the same policy under Computer Configuration. The only option that isn’t available is to notify about pending certificate expiration. This doesn’t matter because there’s no reason to notify a computer of a pending certificate’s expiration. Remember that to allow a computer to authenticate to the wireless network, before a user has logged on, we’ll need to enable the computer to automatically obtain certificates. The location of the group policy settings for a computer account is; Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies.

If you click the first Certificate Templates item, you’ll see all the preconfigured templates that will assist us in creating our certificate templates. You can actually manipulate these templates directly; however, for the sake of keeping everything organized, we’ll just copy a template and rename it to something logical. The two templates we’ll configure are

Right-click the User Signature Only template and choose Duplicate Template. If you have any Windows 2003 Certificate Servers in your environment, choose that option in the resultant dialog box (see Figure 8-11) and then click OK. Otherwise, select Windows Server 2008 Enterprise and click OK.

In the General tab of the Properties of New Template dialog box, name the template using something indicative of what it will be used for. In our example, we’ve named our template “Zion–Wireless User.” Next, click the Security tab and add the group that we want to have the ability to auto-enroll for certificates using this template. In our example, we’ve added the WirelessUsers group. Assign this group the Read, Enroll, and Auto-Enroll permissions and then click OK (see Figure 8-12).

After you’ve created the certificate template, you need to issue it on your CA. Right-click the Certificate Templates folder under your CA name and choose New | Certificate Template to Issue. Find the newly created template and click OK. At this point, we are completely set for the users to obtain their certificate.

Let’s continue by creating the certificate template for computers to obtain certificates and then we’ll discuss the details of obtaining the certificates through auto-enrollment. The process is exactly the same as the previous template; however, we’ll apply the permissions to the group WirelessComputers. Right-click the Computer certificate template and choose Duplicate. Select the CA type for your environment. Name the template appropriately. On the Security tab, add the WirelessComputers group and give it the Read, Enroll, and Auto-Enroll permissions. Then click OK.

The auto-enrollment process is triggered upon user logon, so if you’re already logged on, you need to log out and log back into the computer to trigger the auto-enrollment process. You should understand that for a client computer to download the certificate for the CA and the user’s certificate, the computer must have network access to Active Directory. This means that the computer can’t initially download the certificate necessary to authenticate to the wireless network over the same wireless network. The user must have previously obtained the certificate. Therefore, you must ensure that the computer is connected to the network either hardwire or a different wireless network before attempting to authenticate to the wireless network to allow the computer to download the CA certificate and obtain the certificate.

After logging into the computer, we can view the certificate store on the client computer using the Microsoft Management Console. Click Start | Run, type mmc.exe, and hit ENTER. Click File I Add/Remove Snapin and then double-click the Certificates item. Click OK to close the dialog box. Expand the path Certificates | Current User | Personal and you’ll see something similar to Figure 8-13.

You’ll notice the issuing CA is the name of the Certification Authority we configured. If you scroll to the right, you’ll also see the certificate template that was used to create this certificate. This can be very handy information when you’re troubleshooting auto-enrollment issues. Now expand the node for Trusted Root Certification Authorities and click Certificates. Scroll down to find the certificate for your Certification Authority. If you double-click the certificate, you’ll notice that it’s issued to and issued by the same entity.

Figure 8-14 shows an example of the certificate issued to Morpheus from the zion-server-CA Certification Authority.

You’ve already configured the majority of what you need from the client’s perspective. You only have one more task. You need to configure a wireless network that the computer will connect to without user intervention using Group Policy. You can choose to create a new Group Policy or add to the certificate auto-enrollment policy we created earlier. I typically recommend creating a new Group Policy Object, but you can decide for yourself. By creating a new Group Policy, you can avoid any confusion later as to what the Group Policy does. If you choose to add these settings to another Group Policy and later decide to remove that policy (forgetting that the wireless settings are there), you’ve just created an unnecessary headache for yourself.

Create a new Group Policy Object and navigate to Computer Configuration | Policies | Windows Settings | Security Settings I Wireless Network (IEEE 802.11) Policies. If you right-click the Wireless Network (IEEE 802.11) Policies node, you’ll see two options:

Next, click the Preferred Networks tab and click Add to add the settings specific to your wireless network. You’ll see the New Preferred Setting Properties window in Figure 8-16. Again, most of this is straightforward, and you’re really just configuring it to match the SSID, authentication, and encryption settings of your wireless network.

Next, click the IEEE 802.1x tab to configure the authentication settings. This is where we configure the computer to authenticate to the network using certificates. Your configuration should look similar to Figure 8-17.

The next screen is purely informational. Feel free to take the time to view the types of information available to you. Click Next to continue. Select the Network Policy Server check box and click Next to continue.

The next screen provides a summary of the options you’ve chosen to install. Click Install. The next screen should indicate that the installation has succeeded. Click Close to exit this screen.

Now we’ll configure our newly installed Network Policy Server. Open Server Manager and expand Roles, and you’ll see a new entry for “Network Policy and Access Services.” If you highlight the first node, labeled “NPS (Local),” you’ll see a screen similar to Figure 8-19. The easiest way to configure our NPS to perform RADIUS authentication for our wireless network is with the 802. 1x configuration wizard. To start the wizard, click the drop-down box and select “RADIUS server for 802.1x Wireless or Wired Connections,” and then click Configure 802.1x.

In the next screen, select the Secure Wireless Connections radio button and provide an appropriate name in the text box. In Figure 8-20, you can see we’ve named ours “Secure Wireless Connections.” Not too creative, but it gets the job done.

In the next screen, we’re going to add the 802.1x authenticators. For our wireless network, the authenticators are the access points. Click Add and fill in the information for each individual access point. You should create a shared secret that is unique to each access point. Your entry should look similar to Figure 8-21. Click OK to continue. Click Add and enter any additional access points you have.

When you’re finished adding your access points, click Next. The next window allows you to set the authentication method that clients will be using. In this case, we want our client systems to use certificates, so choose the drop-down menu and select “Microsoft: Smart Card or other certificate.” Click Next to continue.

In the next screen, shown in Figure 8-22, you can configure the groups that are allowed to successfully authenticate against this policy. Click Add and add the groups that are allowed to authenticate. Keep in mind that the users don’t have to be a member of all the groups in this list to authenticate; they only need to be a member of one of the groups. In our example, we’ve kept everything nice and organized and created a group called WirelessUsers. Click Next to continue.

In the next screen, you can configure traffic-control attributes if your access points support it. This is not a standard configuration, so click Next to continue. In the next screen, you can see a summary of the configuration options. This is actually a helpful screen. Take a minute to look at it. Not only does it show all the access points you configured, but also the name of the Connection Request Policy and the Network Policy.

The Network Policy Server states the following for each type of policy:

At this point, your NPS is configured, but you have one final task to allow it to start processing requests. Right-click the “NPS (Local)” node again and choose Register Server in Active Directory. You’ll then see the message in Figure 8-23.

We’re almost there. You have the most complex configuration behind you. Now it’s time to configure the access point and test authentication.

In Figure 8-24, you can see the configuration of a Linksys WRT54G running the dd-wrt firmware. Keep in mind that although the interface for your access point may be different, the configuration should be just as simple. You’ll notice that Security Mode is set to WPA2 Enterprise, which brings up the option to configure a RADIUS server. We’ve also configured the WPA algorithm as AES, as opposed to the less cryptographically secure TKIP protocol.

All you need to authenticate your clients is the IP address of the RADIUS server as well as the RADIUS shared secret you configured previously. That’s it! Keep in mind that the RADIUS authenticator (in this case, the access point) is completely unaware of how you authenticate to the destination RADIUS server. Whether you use certificates or simple passwords, the configuration is the same on your access point because the actual authentication is handled on the RADIUS server.

Once successfully connected, you should see the familiar “connected” message.