There are three things to do…
1. Setup Group Policy to auto enroll workstations and servers with certificates
2. Install Enterprise Certificate Authority
3. Setup NPS to allows devices that have certificates issued by the CA to be allowed to connect.
I like to start with group policy first because when you install the CA, it starts handing out certs immediately.
Go to the Default Domain policy or I guess you could create one for this specifically (but I think that’s silly), and expand
Computer Configuration – Policies – Security Settings – Public Key Policies
Go to the properties of “Certificate Services Client – Auto-Enrollment” and change configuration model to “Enable”, then enable the two check boxes in the image below. The first check box allows certs to be auto renewed, since they are issued with a one year life span. The second check box allows certs to be updated if you should choose to modify the template (rare case).
Next, expand Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies – Automatic Certificate Request Settings
From there, right click and create a new Policy, and choose the Computer template. Without this template, I find that certs will get issued automatically to member servers and domain controllers, but not workstations.
Regarding the type of template to use, Computer Template or Domain Controller Template, there is a nice chart listed on technet documentation here and a mention of templates on technet forums here.
It should look like the image below:
The next process is to install the Certificate Authority. Here is my advice, by default the name of the certificate authority is the first part of your active directory dns domain name followed by your server name. For example, if your domain is contoso.com, and the server is dc1, then the name of the root certificate and the certificate authority will be contoso-dc1. Because it’s possible to move this to another server later on, I don’t like to tie in the server name with the CA name, so I rename it during the installation process of the CA and call it, following my example, Contoso-EnterpriseRoot-CA. That will be the online name and also the name of the root certificate.
Start server manager, and install the Certificate Authority role. During the installation wizard you will want at a minimum “Certificate Authority” and “Certificate Authority Web Enrollment” services checked. If you plan on giving non-domain member devices (iPads) certificates, then install the “Network Device Enrollment Service” also. This last role service requires you to setup a “proxy” user account to request certificates on behalf of non domain member devices. I like to create a user called NetDeviceEnrollService or something similar to that and put more info into the description area.
During the installation, you will have an opportunity to rename your CA to what you want.
Once it’s installed, you don’t have to reboot the server or anything. In fact, if you open the local certificate store and look at the Trusted Certificate Authorities section, you should see the certificate listed there.
You should start seeing this on all servers and workstations…. why? Because the default setting in windows is to trust any root CA that is “registered in Active directory”. What you see below is a report from gpresult.exe utility on a member server.
That completes the certificate portion installation.
The next part is configuring the Network Policy Server (NPS) to issue certs.
Configure a wireless policy that uses MS-CHAPv2 in combination with certificates issued by the CA.