Certificate Filtering for EAP TLS / PEAP TLS / TTLS TLS profiles for WiFi and VPN for Windows

Overview

Enterprises deploying certificate based EAP authentication for VPN/WiFi for Windows Phone and Windows Desktop devices can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to a number issues such as :

  • The user may be prompted to select the certificate.
  • The wrong certificate may get auto selected and cause the authentication to fail.

A Production ready deployment must have the appropriate certificate details as part of the profile being deployed. This article explains how to create an EAP Configuration XML to filter out extraneous certificates and the use the appropriate certificate for the authentication.

References/Terms:

Prerequisites

Before you use certificates for EAP authentication with Windows devices, you must meet the requirements and prerequisites.

  • The certificate must have at least one of the following EKU (Extended Key Usage) properties:
    • Client Authentication
      • As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2.
    • Any Purpose
      • An EKU Defined and published by Microsoft  is a well-defined OIS with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non critical/custom EKU’s can still be added to the certificate for effective filtering.
    • All Purpose
      • As defined by RFC 5280, if a CA includes extended key usages to satisfy some application needs,
        but does not wish to restrict usages of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
  • The user or computer certificate on the client chains to a trusted root CA.
  • The user or computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store. The certificate must also pass requirements in the remote access policy.
  • The user or computer certificate does not fail any of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
  • The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.

Configure a Wi-Fi EAP profile

Configure the Wi-Fi EAP settings by manually editing the XML and updating the profile.

To configure the Wi-Fi profile:

  1. Configure your XML settings using the example XML
  2. Navigate to Devices > Profiles and find your Wi-Fi profile.
  3. Select the Edit radio button and select the XML button.
  4. Copy the XML and open it in a XML editor such as Notepad++.
  5. In the XML, look for the <EAPConfig> section. Within these tags you will find the complete EAP configuration.
  6. Replace the section under <EAPConfig> with your updated XML.
  7. Copy the update XML.
  8. In the AirWatch Admin Console, navigate to Devices > Profiles > Add > Windows > Windows Desktop.
  9. Create a Custom Settings profile.
  10. Paste the XML into the Custom Settings field.
  11. Select Save & Publish.

VPN

Configure the VPN EAP settings by manually editing the XML and updating the profile.

To configure the Wi-Fi profile:

  1. Navigate to Devices > Profiles and find your VPN profile.
  2. Select the Edit radio button and select the XML button.
  3. Copy the XML and open it in a XML editor such as Notepad++.
  4. In the XML, look for the <EAPHostConfig> section. Within these tags you will find the complete EAP configuration.
  5. Replace the section under <EAPHostConfig> with your updated XML.
  6. Copy the update XML.
  7. In the AirWatch Admin Console, navigate to Devices > Profiles > Add > Windows > Windows Desktop.
  8. Create a Custom Settings profile.
  9. Paste the XML into the Custom Settings field.
  10. Select Save & Publish.

EAP TLS XML:

Note that the different filtering methods are included in this example. See the <FilteringInfo> tag for more information.

 <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
    <EapMethod>
        <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type>
        <!--The above property defines the Method type for EAP, 13 means EAP TLS -->

        <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId>
        <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
        <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
        <!--The 3 properties above define the method publishers, this is seen primarily in 3rd party Vendor methods.-->
        <!-- For Microsoft EAP TLS the value of the above fields will always be 0 -->    
    </EapMethod>
    <!-- Now that the EAP Method is Defined we will go into the Configuration -->    
    <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
        <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
            <Type>13</Type>
            <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
                <CredentialsSource>
                    <!-- Credential Source can be either CertificateStore or SmartCard -->
                    <CertificateStore>
                        <SimpleCertSelection>true</SimpleCertSelection>
                        <!--SimpleCertSelection automatically selects a cert if there are mutiple identical (Same UPN, Issuer etc.) certs.-->
                        <!--It uses a combination of rules to select the right cert-->
                    </CertificateStore>
                </CredentialsSource>
                <ServerValidation>
                    <!-- ServerValidation fields allow for checks on whether the server being connected to and the server cert being used are trusted -->
                    <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
                    <ServerNames/>
                </ServerValidation>
                <DifferentUsername>false</DifferentUsername>
                <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation>
                <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName>
                <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">
                    <!-- For filtering therelevant information is below -->
                    <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3">
                        <CAHashList Enabled="true">
                            <!-- The above implies that you want to filter by Issuer Hash -->
                            <IssuerHash>ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                <!-- Issuing certs thumbprint goes here, for eg.-->
                            </IssuerHash>
                            <!-- You can add multiple such entries and it will find the list of certs that have atleast one of these certs in its chain-->
                        </CAHashList>
                        <EKUMapping>
                            <!-- This section defines Custom EKU's that you may be adding-->
                            <!-- YOU DO NOT NEED THIS SECTION IF YOU DO NOT HAVE CUSTOM EKU's -->
                            <!-- You can Have Many EKU's Defined here and then referenced below as shown -->
                            <EKUMap>
                                <EKUName>
                                    <!--Add a firendly Name for an EKU Here for eg -->ContostoITEKU</EKUName>
                                <EKUOID>
                                    <!--Add the OID Value your CA adds to the certificate here, for eg. -->1.3.6.1.4.1.311.42.1.15</EKUOID>
                            </EKUMap>
                                <!-- All the EKU Names referenced in the example below must first be defined here
                            <EKUMap>
                                <EKUName>Foo1</EKUName>
                                <EKUOID>2.23.133.8.3</EKUOID>
                        
                            </EKUMap>
                            <EKUMap>
                                <EKUName>Foo2</EKUName>
                                <EKUOID>1.3.6.1.4.1.311.20.2.1</EKUOID>
                            </EKUMap>
                            -->
                        </EKUMapping>
                        <ClientAuthEKUList Enabled="true">
                            <!-- The above implies that you want certs with Client Authentication EKU to be used for authentication -->
                            <EKUMapInList>
                                <!-- This section implies that the certificate should have the following custom EKU's in addition to the Client Authentication EKU -->
                                <EKUName>
                                    <!--Use the name from the EKUMap Field above-->ContostoITEKU</EKUName>
                            </EKUMapInList>
                            <!-- You can have multiple Custom EKU's Mapped here, Each additional EKU will be processed with an AND operand -->
                            <!-- i.e. Client Auth EKU AND ContosoITEKU AND Foo1 etc. -->
                            <EKUMapInList>
                                <EKUName>Foo1</EKUName>
                            </EKUMapInList>
                        </ClientAuthEKUList>
                        <AllPurposeEnabled>true</AllPurposeEnabled>
                        <!-- Implies that a certificate with the EKU field = 0 will be selected -->
                        <AnyPurposeEKUList Enabled="true" />
                        <!-- Implies that a certificate with the EKU oid Value of 1.3.6.1.4.1.311.10.12.1 will be selected -->
                        <!-- Like for Client Auth you can also add Custom EKU properties with AnyPurposeEKUList (but not with AllPurposeEnabled) -->
                        <!-- So here is what the above policy implies.
                        The certificate selected will have
                        Issuer Thumbprint = ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                        AND
                        ((Client Authentication EKU AND ContosoITEKU) OR (AnyPurposeEKU) OR AllPurpose Certificate)
                        
                        Any certificate(s) that match these criterias will be utilised for authentication
                        -->
                    </FilteringInfo>
                </TLSExtensions>
            </EapType>
        </Eap>
    </Config>
</EapHostConfig>

Note: For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.

Note: The XSD for the XML is available in the Windows Build, please refer to the References section for location.

Use the Native Windows EAP Configuration Method

Instead of manually creating the XML, use the native Windows EAP configuration method. This method requires PowerShell to access the XML.

To use the native Windows EAP configuration method:

  1. On your Windows Desktop device, navigate to Start and search for “rasphone.exe.”
  2. If you don't currently have any VPN connections and you see an alert asking to add, click OK.
  3. Select Workplace Network.
  4. Enter dummy information for the Internet Address and Connection Name. This information can be fake since it does not impact the authentication parameters. Select Create.
  5. Create a fake VPN connection and select Properties.
  6. In the Test Properties dialog, click the Settings tab and select the Use Extensible Authentication Protocol (EAP) radio button.
  7. Select Microsoft Smart Card or other certificate from the drop-down menu. This selects EAP TLS.
    WindowsEAP1.png

  8. Click the properties button under the drop-down menu. Then select the Advanced button.
    WindowsEAP2.png

  9. Adjust the filters of the certificates as needed for your organization needs.
    WindowsEAP3.png

  10. Click OK on the 3 nested windows to get back to the main rasphone.exe dialog.
  11. Close the rasphone dialog.
  12. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
    Get-VpnConnection -Name Test

    $a = Get-VpnConnection -Name Test

    $a.EapConfigXmlStream.InnerXml

You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found at https://technet.microsoft.com/en-us/library/hh945104.aspx.

For PEAP or TTLS select the appropriate method in step 8 above, click Properties and in the next screen select “Microsoft: Smart Card or other Certificate” as the inner method and configure to get a similar experience as above.

Have more questions? Submit a request

0 Comments

Article is closed for comments.