Hi,
I'm currently converting a wifi setup with PEAP (client auth using MSCHAPv2) to TLS-EAP and I'm wondering how exactly the server verifies the client certificate.
I have a private CA, which I selected in the wireless profile pushed to clients. So the client won't accept a server certificate issued by any other CA, even if it matches.
All domain computers autoenroll for a computer certificate and the wireless profile is setup so the computer certificate is used.
The NPS server has as condition in its policy that the client is in the "Domain Computers" group to be granted access.
Now, how does the server verify the certificate sent by the client? I don't see an option to "lock" the accepted certificate to an issuing CA like the one present in the client profile. So I came up with the following possibilities:
1. The server only accepts certificates from the same CA its own certificate was issued by, and then either uses the username sent by the client, the one in the certificate, or both (if so, which does it use/check?).
2. The server trusts any certificate that is issued by any locally trusted root CA (including the commercial ones). This seems unlikely, since in the past commercial CA's would issue certificates for *.local DNS names. So in that case anyone could just procure a certificate from a commercial CA that matches one of my domain computers.
3. The domain computer's certificate is published in AD, and the NPS server matches the certificate it gets from the client to the one in AD.
Option 3 makes the most sense to me, since that way the server will only accept the one certificate that was issued to the computer/client and nothing else. However, I can't seem to find any details in the documentation, only that "if the server trusts the client certificate the client is granted access" with no elaboration on what "trusts" means exactly.
Can someone tell me which of the options is correct, or whatever other option I didn't think about?
Lastly, I'd also like to know how I can debug the entire authentication process on a low level (eg. every step taken), so if someone knows how to do this please tell me :) Both for the server side (2012R2) and client side (Win8.1 & Win10).
Thank you in advance!
PS. I'm wondering something else, and since someone that can answer the above is likely to know this as well, I figured I'd ask it here: Currently in the NPS policy I have selected "Strongest Encryption" 128-bit MPPE on the Settings tab->Encryption. Is MPPE even used in a wireless setup such as mine? As far as I know MPPE is used for PPP connections as main encryption of data after authentication, and the wireless connection will be encrypted using AES/CCMP as setup on the access point (and not with MPPE).
However, I noticed in the latest RFC defining EAP-TLS that the Pairwise Master Key (PMK) was previously named a "MS-MPPE key", so perhaps this setting controls the entropy in the generated PMK sent to, and then used by, the access point to use for its AES/CCMP? Does this encryption setting have any bearing on a wireless authentication setting such as mine, and if so, how exactly?
If not, how does the NPS generate the PMK that the access point is to use for encryption? I know a random PMK should somehow be generated by the NPS, which is what makes WPA2-Ent so much more secure relative to WPA2-PSK (which always uses the same PMK generated from the PSK and the SSID as salt). I'd like to understand how this part works ;)