Active Directory Certificate Services

Question

I am researching how to implement Active Directory Certificate Services to our existing domain. The primary purpose is to use it for 802.1X Wireless authentication.

Since our environment has iPads and Windows 10 PC's I intend to use AD user credentials for Wireless authentication.

We have 20K users, so I would think 1 ADCS dedicated server would be ok and 2 separate RADUIS/NPS servers.

Can anyone help me understand the following:

1. Does this sound reasonable for what I am trying to do?
2. If I install and configure ADCS as an Enterprise Server will that have any affect on the current users or servers?

Answer 1

If "Register server in Active Directory" is greyed out it's because it has been already registered.

For the clients, the user template has already Client Authentication. You can duplicate this template to create your own custom template with a name like wificlient or something else. Normally, each client should have it's own certificate and you should have the UPN (******@mydomain.com) as principal name.

For your client devices that are Domin joined (Windows), you can configure autoenrollment for users with the same template.

The NPS Server need a certificate with Server Authentication. You can use or duplicate the Web Server certificate template and create your custom certificate with a name that like npstemplate or something else that describe the role of the template.

For a certificate to be valid, the client and the server must trust the certificate chain (RootCA, SubCA...). In your case, you only have a RootCA.
Normally, all your Domain joined computer should already trust your RootCA. For all other devices, you should be able to install the RootCA using MDM

ref:
https://support.apple.com/en-ca/guide/deployment-reference-ios/apddb157952e/web
https://support.apple.com/en-ca/guide/deployment-reference-ios/apd1145c7251/1/web/1.0

hth

Answer 2

I would recommend to look at those articles for the ADCS and NPS/Radius design

https://social.technet.microsoft.com/wiki/contents/articles/7421.active-directory-certificate-services-ad-cs-public-key-infrastructure-pki-design-guide.aspx
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

For the second question, adding a Enterprise CA in your organization should not cause any effect on your current environment

hth

Answer 3

Correct. Event if a user receive a certificate, it does not cause any issue because the certificate will not be used by any application.

When the user will connect to the Wi-Fi and the NPS policy will be configured, at this time, the certificate will be used to authenticate the client.

Answer 4

Here is a good document that will help you configure this

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements

For the other question, Apple has published a document how to connect Apple devices to 802.1x network
https://support.apple.com/en-ca/guide/deployment-reference-ios/apd7b6d34790/web

hth

Answer 5

Hello @Aaron

Firstly installing and configuring ADCS as an Enterprise Server will never affect your current users and servers. as it doesn't have the authority to do so.

Do have a look at the Network Policy Server Management with Administration Tools using the below link for a better understanding

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-admintools

Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )

Regards,