rss logo

How to Deploy WPA Enterprise EAP-TLS on UniFi WiFi

WiFi Logo

I've shown how to set up a WPA Enterprise architecture with PEAP-MSCHAPv2. You can find the tutorial here. However, as mentioned in the article, although it's relatively simple to set up, it may not be the most secure way to protect your WiFi. If security is a priority for you or your company, I strongly recommend using EAP-TLS instead. And the good news is that's exactly what I'm going to talk about here!

In this guide, we'll learn how to implement WPA Enterprise access using the most secure protocol for WiFi connections: EAP-TLS.

This lab was conducted using Ubiquiti WiFi equipment, but it can be reproduced on any WPA Enterprise-compatible WiFi hardware. As EAP-TLS is a PKI based, it requires a Certificate Authority (CA). Consequently, we will also configure Active Directory Certificate Services (AD CS) to distribute certificates to Supplicants and to the Authentication Server, which will be an NPS server (Microsoft's RADIUS server).

Diagram illustrating the implementation of WPA Enterprise with EAP-TLS on UniFi WiFi access points. It includes an ADCS server, NPS server, and authentication process using 802.1X and RADIUS protocols.

Active Directory Certificate Services

Active Directory Certificate Services (AD CS) enables the issuance and management of Public Key Infrastructure (PKI) certificates. In this configuration, it will facilitate the provision of certificates that enable every Active Directory user wishing to connect to the company's WiFi to authenticate themselves in complete security.

Installing the AD CS Role

We have two options for installing the AD CS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools

Graphical User Interface (GUI)

  • In the Server Manager dashboard, navigate to Add Roles and Features:
Screenshot of the Windows Server Manager with the 'Add Roles and Features' option highlighted under the Manage menu.
  • Click on Next:
Screenshot of the 'Before You Begin' page in the Add Roles and Features Wizard on Windows Server, highlighting the prerequisites and the Next button.
  • Select Role-based or feature-based installation in the Installation Type menu, then click Next:
Screenshot of the 'Select Installation Type' page in the Add Roles and Features Wizard on Windows Server, highlighting the option for Role-based or feature-based installation.
  • Select your AD CS server and click Next:
Screenshot of the 'Select Destination Server' page in the Add Roles and Features Wizard on Windows Server, showing a server pool with a selected server named ADCS.std.local.
  • Check the Active Directory Certificate Services box and click Next:
Screenshot of the 'Select Server Roles' page in the Add Roles and Features Wizard, highlighting the Active Directory Certificate Services role selection.
  • Click on Next in the Features menu:
Screenshot of the 'Select Features' page in the Add Roles and Features Wizard, showing a list of features with .NET Framework 3.5 highlighted.
  • Read the description of Active Directory Certificate Services if you wish, then click Next:
Screenshot of the 'Active Directory Certificate Services' page in the Add Roles and Features Wizard, explaining the role and considerations for setting up AD CS.
  • Check the Certificate Authority box and click Next:
Screenshot of the 'Select Role Services' page in the Add Roles and Features Wizard, highlighting the Certification Authority option for Active Directory Certificate Services.
  • Check the Restart destination server box to enable it to restart automatically, then click Install:
Screenshot of the 'Confirm Installation Selections' page in the Add Roles and Features Wizard, showing selected roles for AD CS installation and the option to restart the server automatically if required.
  • Open the Server Manager dashboard and navigate to Post-deployment Configuration:
Screenshot of the Post-deployment Configuration notification in Windows Server Manager, highlighting the option to configure Active Directory Certificate Services after installation.
  • Modify the Default credentials if you wish, then click Next:
Screenshot of the Credentials page in the AD CS Configuration wizard, showing the input for administrator credentials required to configure role services.
  • Select the Certificate Authority role and click Next to continue:
Screenshot of the Role Services page in the AD CS Configuration wizard, showing the selection of the Certification Authority role service.
  • Choose Enterprise CA and click Next:
Screenshot of the Setup Type page in the AD CS Configuration wizard, highlighting the selection of the Enterprise CA option.
  • Select Root CA:
Screenshot of the CA Type page in the AD CS Configuration wizard, highlighting the selection of Root CA as the type of certification authority.
  • Choose to create a new private key:
Screenshot of the Private Key page in the AD CS Configuration wizard, showing the option to create a new private key for the certification authority.
  • Choose robust cryptographic options:
Screenshot of the Cryptography for CA page in the AD CS Configuration wizard, showing the selection of RSA cryptographic provider, key length 4096, and hash algorithm SHA512
  • Specify the name of the CA:
Screenshot of the CA Name page in the AD CS Configuration wizard, showing the input for the common name of the certification authority as std-ADCS-CA.
  • Specify the validity period for the certificate, 10 years seems like a good length, given that we'll probably all be dead by then:
Screenshot of the Validity Period page in the AD CS Configuration wizard, showing the selection of a 10-year validity period for the certificate authority.
  • Specify the database locations:
Screenshot of the CA Database page in the AD CS Configuration wizard, showing the default locations for the certificate database and log files.
  • Check the global configuration and click on Configure to run the configuration:
Screenshot of the Confirmation page in the AD CS Configuration wizard, summarizing the settings for the certification authority before starting the configuration.
  • Once the Configuration succeeded, click on Close:
Screenshot of the Results page in the AD CS Configuration wizard, indicating that the configuration of the Certification Authority was successful.

Configuring the AD CS Role

From the ADCS server, we need to create two certificate templates: one for the Authentication Server (NPS), which will generate a Computer certificate, and another for Supplicants, which will allow Domain Users to authenticate themselves.

  • Open the Certification Authority management console:
Screenshot of the Windows Run dialog box with 'certsrv.msc' entered to open the Certification Authority management console.
  • (Optional) Go to the Certification Templates menu and delete the templates you don't need (in my case, I've deleted everything because I only need one for EAP-TLS authentication):
Screenshot of the Certification Authority console, showing the deletion of a certificate template from the 'Certificate Templates' section in AD CS.

Create Certificate Template

  • Open the Certificate Templates Console by right-clicking on the Certificate Templates folder and selecting Manage:
Screenshot of the Certification Authority console, showing the option to manage certificate templates in the AD CS 'Certificate Templates' section.
Authentication User Certificate Template (For Supplicants)

Note: the user certificate authentication method works well, but consider using computer certificate authentication instead if you're using GPO scripts or if you want the computer to be able to log in from the lock screen. See detailed procedure here: Implementing Computer Certificate Authentication with AD CS.

  • Right-click on the User template and select Duplicate Template:
Screenshot of the Certificate Templates Console, showing the option to duplicate a user certificate template in AD CS.
  • Optional, but if you have a recent architecture, set to the most recent systems in the Compatibility Settings:
Screenshot of the Properties of New Template window in AD CS, showing compatibility settings for certification authority and certificate recipient.
  • Give the Template a name:
Screenshot of the Properties of New Template window in AD CS, showing the template name and display name set to EAP-TLS with validity and renewal periods.
  • Increase key size for greater security:
Screenshot of the Properties of New Template window in AD CS, showing cryptographic settings with a minimum key size of 4096 and selected cryptographic providers.
  • To enable automatic deployment of certificates via GPO, check the Autoenroll box for Domain Users:
Screenshot of the Properties of New Template window in AD CS, showing security settings where Domain Users are granted Enroll and Autoenroll permissions.
  • Please note that the name of the e-mail address is required for AD users requesting certificates. This means an e-mail address must be entered in the Active Directory user properties:
Screenshot of the Properties of New Template window in AD CS, showing subject name settings to include e-mail name, alongside Active Directory user properties with the user's e-mail address.

Finally, click OK to create the template.

  • From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
Screenshot of the Certification Authority console in AD CS, showing the option to issue a new certificate template under 'Certificate Templates'.
  • Select the EAP-TLS template created earlier:
Screenshot of the Enable Certificate Templates window in AD CS, showing the selection of the EAP-TLS certificate template for enabling.
  • The EAP-TLS template should appear in the Certificate Templates folder:
Screenshot of the Certification Authority console in AD CS, showing the EAP-TLS certificate template enabled under 'Certificate Templates'.
Authentication Server Certificate Template (For NPS Server)
  • Open the Certificate Templates Console by right-clicking on the Certificate Template folder and selecting Manage:
Screenshot of the Certification Authority console in AD CS, showing the option to manage the EAP-TLS certificate template under 'Certificate Templates'.
  • Right-click on Computer template and select Duplicate Template:
Screenshot of the Certificate Templates Console in AD CS, showing the option to duplicate the Computer certificate template.
  • Optional, but if you have a recent architecture, set the most recent systems in the Compatibility Settings:
Screenshot of the Properties of New Template window in AD CS, showing compatibility settings for the certification authority and certificate recipient.
  • Give the Template a name:
Screenshot of the Properties of New Template window in AD CS, showing the template display name and name set to NPS with validity and renewal periods configured.
  • Optional, but we can modify the key size to increase security:
Screenshot of the Properties of New Template window in AD CS, showing cryptographic settings with a minimum key size of 4096 and selected cryptographic providers for NPS.
  • To enable automatic deployment of certificates via GPO, check the Autoenroll box for Domain Computers (Optional: you can restrict enrolment to the NPS server only by replacing the Domain Computers group with our NPS server):
Screenshot of the Properties of New Template window in AD CS, showing security settings where Domain Computers are granted Enroll and Autoenroll permissions.

Finally, click OK to create the template.

  • In the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:
Screenshot of the Certification Authority console in AD CS, showing the option to issue a new certificate template under 'Certificate Templates'.
  • Select the NPS template created earlier:
Screenshot of the Enable Certificate Templates window in AD CS, showing the selection of the NPS certificate template for enabling.
  • The NPS template should appear in the Certificate Templates folder:
Screenshot of the Certification Authority console in AD CS, showing the NPS and EAP-TLS certificate templates enabled under 'Certificate Templates'.

Authentication Server (NPS)

Installing the NPS Role

We have two options for installing the NPS role: using PowerShell or the Graphical User Interface.

PowerShell

  • For a quick installation using PowerShell, run the following command:
PS C:\Users\administrator.STD> Install-WindowsFeature NPAS -Restart -IncludeManagementTools

Graphical User Interface (GUI)

  • In the Server Manager dashboard, navigate to Add Roles and Features:
Screenshot of the Server Manager in Windows Server, showing the 'Add Roles and Features' option highlighted under the 'Manage' menu.
  • Select Role-based or feature-based installation:
Screenshot of the Add Roles and Features Wizard in Windows Server, showing the selection of 'Role-based or feature-based installation' as the installation type.
  • Select the server:
Screenshot of the Add Roles and Features Wizard in Windows Server, showing the selection of a destination server from the server pool for role installation.
  • Select the Network Policy Server role:
Screenshot of the Add Roles and Features Wizard in Windows Server, showing the selection of 'Network Policy and Access Services' as the server role to install.
  • Just click Next:
Screenshot of the Add Roles and Features Wizard in Windows Server, showing the features selection step with options like .NET Framework 3.5 Features highlighted
  • Check the Restart destination server box and click on Install:
Screenshot of the Add Roles and Features Wizard in Windows Server, showing the confirmation step to install Network Policy and Access Services with the option to restart the server automatically selected.

Certificate Distribution for the NPS Server

Once the AD CS has been correctly configured, we can request a computer certificate from the NPS server.

Manually via the Certificate Management Console

  • From the NPS server, open the Certificate Management Console for the current computer:
Screenshot of the Windows Run dialog with certlm.msc entered, ready to open the Local Machine Certificate Management Console.
  • Right-click on the Personal folder and select Request New Certificate…:
Screenshot of the Certificates snap-in in the Local Computer Personal store, highlighting the option to request a new certificate.
  • Click Next to start the certificate enrollment process:
Certificate Enrollment Wizard displaying the 'Before You Begin' screen with instructions for requesting certificates.
  • Select the Active Directory Enrollment Policy and click Next to continue:
Certificate Enrollment Wizard showing the 'Select Certificate Enrollment Policy' screen with 'Active Directory Enrollment Policy' selected.
  • Select the previously defined NPS Policy and click Enroll:
Certificate Enrollment Wizard showing the 'Request Certificates' screen with 'NPS' selected and the 'Enroll' button highlighted.
  • Simply click on Finish when the enrollment process is complete:
Certificate Enrollment Wizard showing 'Certificate Installation Results' screen with the status 'Succeeded' for the NPS certificate, and the 'Finish' button highlighted.
  • After clicking on Refresh, you should see your computer's certificate appear:
Certificate Manager showing a successfully installed certificate in the 'Personal > Certificates' section. The certificate 'NPS.std.local' issued by 'std-ADCS-CA' with expiration date '8/1/2024' is highlighted.

Automatically through Group Policy (GPO)

To automate the certificate renewal process, we can create a GPO.

  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Group Policy Management Editor with the selected 'Certificate Services Client - Auto-Enrollment' option in the Public Key Policies section. The context menu highlights 'Properties'.
  • Enable the Configuration Model and check the boxes to enable automatic certificate renewal:
Certificate Services Client - Auto-Enrollment Properties window showing configuration for automatic certificate renewal and updates.
  • Run gpupdate to obtain a certificate:
C:\> gpupdate

Configure NPS

  • Open the Network Policy Server console:
Run dialog box with the command 'nps.msc' entered to open the Network Policy Server management console.

Declare Access Point as RADIUS Clients

  • Navigate to NPS > RADIUS Clients and Servers > RADIUS Client and click New:
Network Policy Server console showing the creation of a new RADIUS client under the RADIUS Clients section.
  • For each Access Point, give it a Name, set the IP address, and create a strong password (use the same one for every Access Point):
New RADIUS Client configuration in Windows Network Policy Server for UniFi WiFi access points, including fields for Friendly Name, Address, and Shared Secret.
  • You should see all previously added Access Point in the RADIUS Clients folder:
List of configured RADIUS clients in Windows Network Policy Server, showing UniFi access points with friendly names, IP addresses, and enabled status for WPA Enterprise EAP-TLS.

Creating a Network Policy

We now need to create a Network Policy in which we define the group of users who can connect and the protocols used.

  • Click New in the Network Policies folder:
Creating a new network policy in Windows Network Policy Server for configuring WPA Enterprise with EAP-TLS on UniFi access points.
  • Give Policy a name:
Specifying network policy name and connection type in NPS.
  • Click on Add to specify the condition:
Adding conditions to a network policy in NPS.
  • Select User Groups, then click on Add Groups…:
Specifying user groups for network policy configuration during Wi-Fi EAP-TLS setup.
  • Add an Active Directory user group, such as Domain Users:
Selecting the Domain Users group for Wi-Fi EAP-TLS policy configuration.
  • Click on Next:
Overview of user group conditions specified for Wi-Fi EAP-TLS network policy.
  • Select Access granted:
Granting access permission for Wi-Fi EAP-TLS network policy configuration.
  • Choose Microsoft: Smart Card or other certificate as the EAP type and edit the configuration:
Configuring authentication methods for Wi-Fi EAP-TLS using certificates.
  • Select the certificate previously issued:
Screenshot of selecting the newly deployed certificate in the Ubiquiti Wi-Fi EAP-TLS setup.
  • Click on Next:
Configuring network policy constraints, including idle timeout, for Wi-Fi EAP-TLS setup.
  • Click on Next again:
Configuring RADIUS attributes and network policy settings for Wi-Fi EAP-TLS setup.
  • Finally, click on Finish to create the Policy:
Completing the new network policy configuration for Wi-Fi EAP-TLS.

UniFi Network Server

We now need to configure our UniFi Network Server to integrate the RADIUS (NPS) server.

  • Go to the Profiles menu and create a new RADIUS profile:
Creating a new RADIUS profile for Wi-Fi EAP-TLS configuration.
  • Click on Create New:
Option to create a new RADIUS profile for Wi-Fi EAP-TLS in network settings.
  • Give the RADIUS profile a Name and add the IP address of the NPS server for the Authentication Server and the RADIUS Accounting Server. Don't forget to add the password previously set on the NPS server, set the ports, then click on the Add buttons to validate the configuration:
Configuring settings for a new RADIUS profile, including authentication and accounting servers for Wi-Fi EAP-TLS.
  • Now go to the WiFi menu and add a new WiFi profile or modify an existing one:
Managing Wi-Fi network settings and global AP configurations for EAP-TLS setup.
  • Configure the Security Protocol and RADIUS Profile:
Advanced Wi-Fi network configuration with WPA3 Enterprise and RADIUS profile settings for EAP-TLS.

Supplicant (Windows Stations)

We'll now look at how supplicants obtain the certificate they'll use for authentication. We'll look at two methods: a manual method and an automatic method via GPO.

Certificate Distribution to Supplicants

Manually via the Certificate Management Console

  • Open the Certificate Management Console for the current user on the Supplicant machine:
Opening Windows certificate manager using certmgr.msc in the Run dialog.
  • Right-click on Personal and select Request New Certificate…:
Requesting a new certificate from the Personal store in Windows certificate manager.
  • Click Next to start the certificate enrollment process:
Certificate enrollment wizard introduction screen in Windows.
  • Select the Active Directory Enrollment Policy and click Next to continue:
Selecting the certificate enrollment policy in Windows enrollment wizard
  • Select the EAP-TLS Policy we defined earlier and click on Enroll:
Requesting an EAP-TLS certificate in the Windows certificate enrollment wizard.
  • Simply click on Finish when the enrollment process is complete:
Certificate installation results showing successful enrollment of EAP-TLS certificate in Windows.
  • After refreshing, you should see your Client Authentication certificate in the user certificate store:
Viewing the installed EAP-TLS certificate in the Personal store of Windows certificate manager.

Automatically via a Group Policy (GPO)

  • Go to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:
Accessing auto-enrollment properties in Group Policy Management Editor for certificate configuration.
  • Enable the Configuration Model and check the boxes to enable automatic certificate renewal:
Configuring auto-enrollment settings for user and computer certificates in Group Policy.
  • Run gpupdate to get a certificate:
C:\> gpupdate

The supplicants should now be able to connect to WPA Enterprise WiFi Access using EAP-TLS.

References