Hi Everyone, I need some assistance with the certificate required for the NPS server that allows both network clients and Meraki APs to validate the server's identity. We do not have a PKI so we will be obtaining a certificate from a trusted CA. I want to deploy two radius servers in our forest for resiliency and I want to use a single certificate for both of them.
Do I need to generate a CSR from one of the servers to purchase the certificate from a CA? It needs to be a certificate that all our domain joined machines trust as well and we've been given the option of purchasing a GeoTrust certificate from our certificate provider. Would this work? Would I just need to add the certificate to the radius servers and then would we need to deploy the same certificate to our domain joined machines which exist in child domains within the forest it would be purchased from?
My certificate knowledge is not the greatest hence the post, hope you can help.
Using a certificate from a trusted PKI is almost pointless. A certificate verifies that the DNS name you are accessing actually belongs to the server you end up talking to.
With PEAP (eap EAP-TTLS) the WiFi client does not know the DNS name of the RADIUS server it will be talking to.
The most you could do is to create a group policy to pre-mark it as a trusted certified.
It is often easiest to deploy a Microsoft CA server on one of your existing servers, so it is AD integrated, and then let the NPS servers request the certified. Having the CA server part of AD makes all the AD joined computers trusted it automatically.
For customers that don't have Microsoft CA deployed these days I frequently generate special self signed certificates using openssl, and then just create a group policy to tell all AD members to trust the certificate. But the process is quite complicated to explain. Using the Microsoft CA is much easier if you have not done it before.