Third Party Wildcard Certificates for use with Microsoft NPS / RADIUS / PEAP

windows-server-2008-r2 tls radius peap nps

Solution 1:

I was unable to get a straight answer out of Microsoft, but all signs pointed to the certificate. I ended up purchasing a single domain SSL 2048-bit certificate that does Client and Server Authentication and installed it on the NPS server. Things returned to normal at this point.

Microsoft's implementation of PEAP/RADIUS/NPS apparently just doesn't play nice with Wildcard certificates, even though they don't list this constraint anywhere.

Edit:

After speaking with someone on the Microsoft PKI team, I was told that since our wildcard duplicates have a Subject Name of *.OurSchool.edu and not of the server, that the Windows clients will reject it when negotiating PEAP. The server is explicitly listed by FQDN in the Subject Alternative Name field of the certificate, but apparently that makes no difference.

The support engineer did confirm that there are issues with many wildcard certificates because of this. If you use a third party CA that will allow you to get duplicates of your wildcard with the Subject Name field of your NPS server and move the wildcard to the SAN, then it should work fine. We did not test this theory, so take it with a grain of salt.

Related

Can a virus spread through a network share used by an RDP connection?
Issues with ProxyPass and ProxyPassReverse when proxying to localhost and a different TCP port
Virtual Machine Host within Ubuntu Server
How can I tell who/what shutdown my CentOS VPS?
Number of logical processors per VM?
Windows Task Scheduler - Run Action when Process (EXE) is NOT running
How does Apache interpret multiple SSLRandomSeed sources
How to manually run application as "IIS APPPOOL\MyAppPool" user
How to copy many Scheduled Tasks between Windows Server 2008 machines?
How do I convince Dell blades to PXE Boot
nginx error_page for 502 Bad Gateway errors
How to disable Request Filtering for a specific website on IIS 7.5?