Network policy configuration for NPS server (on windows server 2022) with WPA3 SuiteB authentication

Question

Dear MS Team

Kindly Share me the steps for configuring Netwok policy for WPA3 Suite B authentication.

I have made a new policy for suite b with PEAP & smart card added under condition,

I am using Samsung S23 as client,SSID radiates but after entering the details for ID and domain, the save option is not available; looks there is something wrong.

Kindly provide the steps

Regards

Avanindra Kumar Mishra

Answer 1

Dear Avanindra K Mishra,

Thank you for reaching out and providing detailed information regarding the issue.

It appears that the Samsung Galaxy S23 may have compatibility issues with WPA3 Suite B when configured as suggested. Given that it connects successfully with WPA3 Transition and WPA3 Enterprise, the issue likely lies in the specific configuration for Suite B.

To create a new security template for Suite B, please follow these steps to configure a certificate template for WPA3 Suite B authentication in NPS on Windows Server 2022:

1. Open Certification Authority (CA):
   • Open the Certification Authority management console on your Windows Server 2022.
2. Duplicate an Existing Template:
   • Right-click on the “Certificate Templates” folder and select “Manage.”
   • In the Certificate Templates Console, find an existing template (e.g., “Computer” template), right-click on it, and choose “Duplicate Template.”
3. Configure the New Template:
   • On the “General” tab, name the new template (e.g., “WPA3 Suite B Template”).
   • On the “Request Handling” tab, ensure “Signature and encryption” is selected.
   • On the “Cryptography” tab, set the minimum key size and algorithm according to your security policy (e.g., 2048-bit RSA).
   • On the “Subject Name” tab, choose how the subject name should be generated (e.g., “Supply in the request” or “Build from this Active Directory information”).
4. Configure Extensions:
   • On the “Extensions” tab, configure the Application Policies and ensure that “Client Authentication” is included.
   • Also, configure Key Usage and Extended Key Usage as required for WPA3 Suite B.
5. Publish the Template:
   • Once the new template is configured, right-click on “Certificate Templates” in the Certification Authority console and select “New” -> “Certificate Template to Issue.”
   • Select your newly created template (e.g., “WPA3 Suite B Template”) and click “OK.”
6. Configure NPS to Use the New Template:
   • Open the Network Policy Server (NPS) management console.
   • Under “Policies,” select “Network Policies” and find the relevant policy for WPA3 Suite B.
   • In the properties of the policy, ensure that the new certificate template is selected under the “EAP Types” and configure the EAP settings as needed.

Please follow these steps and let us know if you encounter any issues or need further assistance.

Best regards,

Rosy

Answer 2

Dear Avanindra Kumar Mishra,

To configure Network Policy Server (NPS) for WPA3 Suite B authentication on a Windows Server 2022, follow these steps:

Prerequisites

1. Windows Server 2022 with NPS Role Installed: Ensure that the Network Policy and Access Services (NPAS) role is installed on your Windows Server 2022.
2. Client Device: Samsung S23 (or any WPA3 capable device).
3. Digital Certificates: Ensure you have the necessary certificates for PEAP (Protected Extensible Authentication Protocol) and smart card authentication.

Steps to Configure NPS for WPA3 Suite B Authentication

Step 1: Install and Configure NPS Role

1. Open Server Manager and select Add Roles and Features.
2. Install the Network Policy and Access Services role.
3. Configure NPS as a RADIUS server.

Step 2: Configure Certificates for PEAP and Smart Card Authentication

1. Obtain and Install Certificates:
   • Ensure you have a server certificate installed on the NPS server. This certificate must be trusted by client devices.
   • Smart card certificates should also be configured and trusted.
2. Register NPS in Active Directory:
   • Open NPS console.
   • Right-click NPS (Local), select Register server in Active Directory.

Step 3: Configure Network Policy for WPA3 Suite B Authentication

1. Open NPS Console:
   • Go to Start > Administrative Tools > Network Policy Server.
2. Create a New Network Policy:
   • Right-click Network Policies, select New.
   • Name the policy, e.g., WPA3 Suite B Policy.
3. Specify Conditions:
   • Click Add under Conditions.
   • Add conditions such as User Groups, Client IPv4 Address, Windows Groups, etc.
   • For WPA3 Suite B, add PEAP and Smart Card or other certificate under conditions.
4. Specify Constraints:
   • Under Constraints, configure Authentication Methods.
   • Ensure Microsoft: Protected EAP (PEAP) is selected.
   • Configure PEAP settings by clicking Edit:
     • Select the server certificate.
     • Enable Smart Card or other certificate.
     • Optionally, configure Fast Reconnect and PEAP-TLV.
5. Configure EAP Types:
   • In the EAP Types section, ensure that Smart Card or other certificate is added and configured.
6. Specify Settings:
   • Under Settings, configure Encryption and Vendor Specific settings if required.
   • For WPA3, ensure strong encryption methods are selected.
7. Finalize and Apply Policy:
   • Review the settings and click Finish to create the policy.

Step 4: Configure Wireless Access Points (WAPs)

1. Access WAP Configuration:
   • Login to your Wireless Access Point management interface.
2. Configure SSID for WPA3:
   • Set the SSID to broadcast using WPA3 encryption.
   • Configure the security settings to match the NPS policy (e.g., PEAP and Smart Card authentication).
3. Apply Changes:
   • Save the configuration changes on the WAP.

Step 5: Configure Client Device (Samsung S23)

1. Connect to the SSID:
   • On your Samsung S23, navigate to Wi-Fi settings.
   • Select the SSID configured for WPA3.
2. Enter Credentials:
   • Enter the required credentials (ID and domain).
   • If the save option is not available, ensure that all necessary fields are correctly filled and certificates are installed on the device.
3. Save and Connect:
   • Save the settings and attempt to connect to the network.

Troubleshooting Tips

1. Check Certificates: Ensure all certificates are properly installed and trusted on both the server and client devices.
2. Verify Network Policy: Double-check the NPS network policy settings for any misconfigurations.
3. Consult Logs: Use the Event Viewer and NPS logs to identify any errors or issues during the authentication process.

Additional Resources

• Microsoft Documentation on NPS
• Red Hat Documentation on WPA3

By following these steps, you should be able to configure your NPS server for WPA3 Suite B authentication. If you encounter any issues, please provide additional details for further assistance.If you find the answer helpful, please mark it as the accepted answer.

Best regards

Rosy

Answer 3

Dear Rosy

I have configured exactly in the similar way as suggested by you.

It does not work , on clicking the WPA3 Suite B based SSID->entering the ID and domain name, the save option is not available on my device Samsung galaxy S23, though I am able to connect with the WPA3 transition and WPA3 enterprise based SSID on same device.

It seems I need to create a new Security template for Suite B; Kindly share me the steps for creating certificate template for WPA3 Suite B authentication in NPS configured on windows server 2022

Regards

Avanindra K Mishra