20,223 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello Bandith,
Thank you for your question and for reaching out with your question today.
When implementing WPA2-Enterprise with 802.1X authentication using Microsoft PEAP and Cisco Meraki APs with Windows NPS as the RADIUS server, it is recommended to use a trusted Public Certificate Authority (CA) to issue the server certificate for the NPS server. This ensures that client devices trust the certificate and establish secure connections.
Here are the steps to obtain a trusted certificate from a Public CA and configure it for use with Windows NPS:
1. Choose a Public Certificate Authority (CA): There are several well-known Public CAs available that offer certificates suitable for use with WPA2-Enterprise. Some popular options include DigiCert, Sectigo (formerly Comodo), GlobalSign, GoDaddy, and Entrust. You can visit their websites to explore the different certificate types and pricing options.
2. Generate a Certificate Signing Request (CSR): The next step is to generate a CSR from your NPS server. You can generate the CSR using the Internet Information Services (IIS) Manager. Follow these steps:
- Open the IIS Manager on the NPS server.
- Select the server in the Connections pane.
- Double-click on the "Server Certificates" feature.
- Click on "Create Certificate Request" in the Actions pane.
- Fill in the required details, including the Common Name (CN) for the NPS server.
- Choose a strong cryptographic key size (e.g., 2048 bits or higher).
- Save the CSR file to a location on the server.
3. Submit the CSR to the Public CA: Go to the website of the chosen Public CA and navigate to their SSL certificate issuance page. Look for an option to submit a CSR. Upload the CSR file you generated in the previous step and follow the instructions provided by the CA to complete the certificate issuance process. The CA will typically validate your domain ownership and identity before issuing the certificate.
4. Obtain the issued certificate: Once the Public CA completes the validation process, they will issue a server certificate for your NPS server. You will receive the issued certificate in a format such as PEM or PFX. Follow the CA's instructions to download and obtain the certificate.
5. Import the certificate to the NPS server: Import the issued certificate into the NPS server using the IIS Manager. Here's how:
- Open the IIS Manager on the NPS server.
- Select the server in the Connections pane.
- Double-click on the "Server Certificates" feature.
- Click on "Complete Certificate Request" in the Actions pane.
- Browse and select the certificate file issued by the Public CA.
- Provide a friendly name for the certificate.
- Complete the import process.
6. Configure NPS to use the certificate: Open the NPS MMC snap-in and configure the server certificate in the NPS configuration. Here's how:
- Open the NPS MMC snap-in.
- Expand "Policies" and click on "Network Policies."
- Double-click on the network policy you want to configure.
- Go to the "Constraints" tab and click on "Authentication Methods."
- Select "Microsoft: Protected EAP (PEAP)" and click on "Edit."
- Under "Certificate issued or trusted by", select the certificate you imported in the previous step.
- Configure other settings as per your requirements and save the changes.
7. Update client devices: After configuring the NPS server with the trusted certificate, ensure that client devices trust the CA that issued the certificate. Some client devices may require additional configuration to trust the CA. This can include installing the CA's root certificate or intermediate certificate chain on the client devices. Consult the documentation for each device or platform to determine the specific steps for trusting the CA.
By following these steps, you can obtain a trusted certificate from a Public CA and configure it for use with Windows NPS in your WPA2-Enterprise deployment. This will ensure that client devices trust the certificate and establish secure connections.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.
Best regards.