1

We are starting to introduce WiFi into our cyber centre (yes in 2021!!) due to the demand for our users to bring and use their own devices (and get help using them)

Now our existing setup has 10 domain joined computers and each user has an AD account to log into these.

The use of AD would in turn allow us to see who is using our Wi-Fi and keep everything centralized.

As our users are used to using their AD credentials to access our services could this be extended to Wi-Fi access (just internet) on their own devices.

Objective

On selecting our Wi-Fi network the users are prompted for their username and password

Research so far

This link suggests this can be done without using certificates (Post 5) How to setup a wifi network with Active Directory authentication in Win2012? | Microsoft Learn >

That said it is the only article which says you can do without a certificate. This one from Microsoft says "

“Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is typically easier and less expensive to deploy than EAP-TLS or PEAP-TLS”

< Deploy Password-Based 802.1X Authenticated Wireless Access | Microsoft Learn >

Then goes on to say oh you need certificates. That’s the bit I’m confused on. This post from SW in 2015 is asking the same/ similar question Possible to use NPS for RADIUS without certs for non-domain joined clients?

I’ll need

  1. A Access Point which allows the use of RADIUS to authenticate
  2. Certificate set up on the server (using AD CA). (self-signed??) Do you really need one. Any pitfalls with going self-signed
  3. Setup NPS as a RADIUS on our Windows 2019 server

Think that’s everything. Have I made any glaring errors or is there room for improvement

8 Spice ups
2

I use NPS for WPA2 Enterprise authentication from all devices, including Android phones. Never messed with a cert in the Radius part.

On domain joined devices the user/pass of the logged in user is automatically used for Wireless authentication.

I think you should just follow the logic.

3

Will give it a shot, Most guides mention certs though particular on the server .

4

FWIW, I have a non-domain joined Android device that I can log into my work network with using my AD credentials. Empirically this answers your question - yes it can be done. That said, I have no idea how that was setup (another department’s responsibility) so, little help from this end of things. :wink:

5

Certificate setup for WPA2-Enterprise/PEAP authentication

After some more searching The last post by Rod-IT seems to suggest spinning up a internal CA is the way to go

So you do need a certificate between RADIUS and your WIFI AP’s for BYOD/non domain devices??. for it to work with users just using Continue or Accept if they get a prompt

Perhaps @rod-it ​ would be kind to confirm.

6

I think you are misunderstanding BYOD or it’s intended use.

If you allowed people to use their own kit, what validation do you have it’s safe to use on the corporate network? Simply passing over AD credentials would not be validation their laptop is not riddled with viruses or malware.

NPS will cover some of this, but the device is still untrusted - and this is what certificates would do (on company owned, domain joined kit).

An internal CA by design will share the root CA certificate with all domain joined devices, the devices will be issued with their own certificate from this CA and NPS/Radius combination would verify the certificate is from the domain CA and approve it for use on the Wi-Fi/LAN (depending on how you configure it) - this would be a trusted Wi-Fi or LAN, not a BYOD network. It should be used only for devices that are company owned and domain joined.

A BYOD network would not need certificates (simply because you have no control over the devices connecting and might not have permissions to install a cert), it would therefore by design be untrusted, from here users would have access to a select few ways to access the corporate network, such as Citrix, VDI, TS/RDS or WebApps, this is where they would put their AD credentials - in all cases, their own device does NOT touch the corporate trusted network, only their credentials are passed.

I hope this makes more sense.

Short version - Company owned devices, domain joined devices - Corporate Wi-Fi with Certificates/NPS/Radius

BYOD - untrusted user devices, no certificates, u/p for Wi-Fi, remote access to corporate network.

What is a cyber centre - a cyber cafe? or a security company, if the latter, you really want to be secure as possible, the above short version is your friend.

Note that Certificates are becoming more and more required to enhance security, including LDAPS, so even if you dont use certificates for corporate Wi-Fi you should have an internal CA anyway.

7

You cannot issue a certificate to devices you don’t own or have passwords for, certificates are used to secure your corporate network and company devices, BYOD is basically a guest network, so you dont have a way to install certificates on devices you do not manage. Besides, if I came to your business why would I let you install a certificate on my device when other companies offer Wi-Fi without it?

Trusted networks/devices = certificates

Untrusted networks/devices = username/password or password - typical guest type access.

1 Spice up
8

Rod_IT summarizes this well but I would add that certificates do have a role to play in BYOD.

Typically a cert is still required on the device providing the authentication and this needs to be trusted by clients - this is simple to achieve by using a cert from a trusted public CA and not an internal one. so for example if you were using NPS and wanted to auth users with their AD creds but to the byod ssid - you need to install a cert on NPS. If you do not then the u/p from the AP to NPS will be in the clear etc - and in reality over the air it is easily compromised.

Secondly you can issue certs to no corp devices if this is something you wish to do - you just may not be able to automate. It is common in enterprise to have to register a device with the byod network and download and install a cert - usually done via a web portal. But I would not recommend in a small setup. This is typically used when the corp want to control which devices ahve access - a better approach is mdm for byod.

1 Spice up
9

Thanks for your comprehensive answer (and the shorter summary one) . Yes the CyberCentre is indeed a Cyber-cafe setting

I guess the crux of the matter is every guide/video I’ve come across mentions certificates. Even this Article Deploy Password-Based 802.1X Authenticated Wireless Access sounds promising but then mentions certificates.

So to be absolutely clear. to use your username/password credentials to access Wi-Fi in a BYOD setting. Does not require a certificate deployed to the client OR the NPS/RADIUS server

10

Can you please provide a scenario?

You talk about company users and AD with their own devices - I’d ask why they would need or want to use their own devices if they have company owned devices that could easily operate on a Corporate Wi-Fi , even without certificates - just ensure the password is not leaked otherwise you could end up with non-domain joined/owned devices on the corporate side of the network.

For BYOD for non-staff devices, what not just have a guest network to provide internet access, why the need to access corporate side of the network at all.

11

Our Cyber-Centre is set up to provide computer and internet access to members of the public. When it was initially set up those members of the public often didn’t have there own PC or indeed Internet Access. Additionally many required help in using the technology so we provided this.

It isn’t strictly drop in as to secure funding we need to sign them up, During this process they are given a AD username/password , which they use to log in to one of our domain-joined Desktop PC’s.

With the growth of laptop, tablet and phone these same members are coming in and requesting help with their own devices, which need Internet Access over WiFi.

Our initial thoughts was to use the AD username/password combination (something already used and known by our members) to give them that internet access on their own devices.

12

Note that some devices wont use AD credentials, so it depends on each case - personally, I’d not want them on or near the domain and instead create a guest access SSID with a portal, they will login using local accounts and can be given ‘limited’ time or duration on the internet based on the criteria you setup in the portal

It sounds like a simpler approach would be better here, not a more complicated one, like NPS/Certificates and Radius. Keep this for your corporate side, not the public side.

1 Spice up