Cannot configure EAP
When you are configuring a RADIUS server to use a certificate for Secure Wireless Connection or VPN connections, you might be presented with this dreadful error message:
This is due to that RADIUS server not having the correct certificate installed. In order to fix this problem, do as follows:
Stuff to do on the Certification Authority Server
You obviously must have a CA in your Domain, if not install the role on a server (I would recommend always to use the FRDC - Forest Root Domain Controller- as the CA too) and once you got it all done, run "mmc" and add the "Certificate Templates" snap-in, then edit the properties of the "Domain Controller Authentication" template
Ensure that you have the option "Publish certificate in Active Directory" ticked
Visit the "Security" tab and ensure that you allow for the Authenticated Users the permission to Read, Write, Enroll and Autoenroll
Once you have done all of this, close the mmc (without saving it) and open the Certification Authority application, then choose to stop the CA service.... and you guess it! After stopping it, start it again :)
That will publish to CA the certificate "Domain Controller Authentication" with the modifications that we have made
Stuff to do on the RADIUS server
Jumping now to your RADIUS server, run mmc and add the snap-in "Certificates" for Local Computer,then visit Personal > Certificates > Request New Certificate
Click "Next", and to the next window select Active Directory Enrollment Policy and click "Next" too
Because previously we select this certificate to be publish on AD, on the next window you should be able to see the "Domain Controller Authentication" certificate, select it and chool "Enroll", yah!
At this stage you should be able to get a "Succeeded" green light, and the certificate will appear under Personal > Certificates
Now you can open the RADIUS certificate server from your NPS console, and see that the certificate is there, well done!
London, 6 November 2019
The white elephant in the room: make a note on your calendar of the expiration date of the certificate! You'd need to do exactly the same process on the RADIUS sever once the current certificate has expired
Comments powered by CComment