Windows 2012 R2 NPS with EAP-TLS Authentication for OS X & Mobile Devices

Please refer to the following setup for EAP-TLS Authentication for OS X & Mobile Devices (IOS & Android) using my previous lab

The following steps are required 

  1. Generating a new Certificate Template for Computer Authentication
  2. Requesting the Computer Authentication Certificate from member server or workstation
  3. Export the Computer Certificate (1 with private key (*.pfx) and 1 without private key (*.cer)
  4. Export the Root Certificate (Only required for Android Phone)
  5. Map Certificate to AD User
  6. Testing on iPhone, Android & MacBook (OS X Yosemite)

1. Generating a New Certificate Template for Computer Authentication 

TLS-Mobile-01

Open “Certification Authority” in CA Server, and Certificate Template > Manage 

TLS-Mobile-02

Right Click on “Computer” and select Duplicate Template 

** Only the changes on the default setting will be shown in below screen shot 

TLS-Mobile-03

Go to “General” and provide a Name for this new template , and extend the Validity Period to 5 years (Optional Steps)

TLS-Mobile-04

Go to “Request Handing” and select “Allow private key to be exported

TLS-Mobile-05

Change to “Supply in the request” 

TLS-Mobile-06

Checked “CA Certificate manager approval” to manually approve the certificate requested in CA Server 

TLS-Mobile-07

Right Click “Certificate Template” > New > Certificate Template to Issue by selecting the newly created Template 

2. Requesting the Computer Authentication Certificate from member server or workstation

TLS-Mobile-08

Go to Member Server or Workstation, MMC > File > Add / Remove Snap-In > Certificate > Computer Account 

Right Click Personal > Certificate > All Tasks > Request New Certificate 

TLS-Mobile-09

Select the Template issued, and click on “More Information …..” 

TLS-Mobile-10

Add the CN=ios (in my case). Important : the CN name created MUST be the same with the AD Username provision later 

TLS-Mobile-11

Enrolled the Computer Certificate successfully 

TLS-Mobile-12

Go to CA Server > Pending Requests, and the requested certificate will be shown here as we enable the “CA Certificate Manager Approval” during the configuration of Certification Template and  Right the Cert and issue it 

3. Export the Computer Certificate

TLS-Mobile-13

Since my member server is domain joined with Auto-Enrollment configured, i will need to right click on Certificate > All Tasks > Automatically Enroll and Retrieve Certification  

TLS-Mobile-14

The certification with private key is installed successfully 

Export the certificate to pfx (with private key) and .cer (without private key) and copy together with the Root file to C:\inetpub\wwwroot\Download in my IIS Server 

Copy and paste the following HTML Code to C:\inetpub\wwwroot\iisstart.htm

I can just go to http://192.168.1.201 to download all the required certificate for iphone, android and OS X easily  

TLS-Mobile-15

4. Map Certificate to AD User

Open Active Directory Users and Computers in AD Domain Controller, and create a new user called ios (the username need to be the same with the CN name created in Certficate) 

** You can put any password as the password will NOT be used in EAP-TLS Authentication later 

TLS-Mobile-16

Select View > Advance Features , and right click on ios user account and select Name Mapping and Add the .cer certificate 

#Login using iPhone 

Go to http://192.168.1.201 and download IOS.PFX file 

TLS-Mobile-17

Click Install , and provide the Password for the Private Key when prompted 

TLS-Mobile-18

Connecting to the WIFI Network, and change Mode to EAP-TLS, and click on Identity to select the imported ios certificate 

TLS-Mobile-19

Select IOS and click join . You should be able to connecting to WIFI Network using EAP-TLS successfully.

#Login using Android 

Go to http://192.168.1.201 and download IOS.PFX file 

Open the downloaded IOS.PFX file with the Private Key Password

TLS-Mobile-20

Give a Friendly Name for this Certificate and change the Credential use: WIFI 

Go to http://192.168.1.201 and download MonsterBean-Root.cer file 

TLS-Mobile-21

Give a Friendly Name for this Certificate and change the Credential use: WIFI 

TLS-Mobile-22

Change the EAP Method to TLS, and specify the Root & User Certificate with Identify IOS (The user account created in AD)

You should be able to connecting to WIFI Network using EAP-TLS successfully.

#Login using MacBook Air (OS X)

Copy the .pfx file to OS X, and double click the ios.pfx file 

EAP-TLS-Mobile-01

 The .pfx should imported successful as below (Please enter your OS X Username & Password if prompted)

EAP-TLS-Mobile-02

Select Mode : EAP-TLS, Identity: IOS , and Username = ios 

EAP-TLS-Mobile-03

Connected successfully using EAP-TLS  

EAP-TLS-Mobile-04

 

Share This