You can ask your VPN admin why your authentication attempt was rejected and she/he can look at the logs and tell you. Usually it’s one of…
- The client cert you used is not from a CA the VPN trusts.
- The subject or SAN is not in the expected format.
- The cert isn’t valid… it has the wrong usage settings, it or an intermediate it it’s trust chain is expired, etc.
- The authentication system is checking a directory to make sure it contains object that matches the certificate subject but there is none. (Some RADIUS systems just check that the cert is valid and was generated by a trusted CA. Others also check that the computer or use is actually in AD and not disabled. So, for example, AD-bound Windows PCs connect fine, but iPhones don’t. iPhones don’t bind to AD so a host-name cert won’t work but a user-name cert will.)
We setup NDES SCEP for Jamf Pro and our certificate payload worked. We got a certificate with the correct subject and SAN. But the device would not connect to the network. It just kept asking for a login username/password. We noticed that the usages on the cert did not include “client identification”.
We looked at the template we’d set up for NDES and the usages looked good there. An NDES registry entry had been updated to point to the template. But it turns out our request wasn’t getting handled by the right template.
In the SCEP payload, there are these two checkboxes just after keysize. What do they do?
These are there to set the cert purpose. If you want to use the cert for Signature and encryption, you need to check both, for just encryption (probably what you want for a wifi cert), just check the second box. These check boxes map to a template registry key in NDES.
Logon to NDES and go to
HKLM\Software\Microsoft\Cryptography\MSCEP in regedit. You’ll see 3 registry entries:
- SignatureTemplate (corresponds to Signature purpose)
- EncryptionTemplate (corresponds to Encryption purpose)
- GeneralPurposeTemplate (corresponds to Signature and encryption purpose)
I don’t know what template gets used if you don’t check either box — haven’t checked that yet. But I put the correct template name in as the general purpose template and checked both the boxes and re-deployed the profile to the test machine. Then it hopped right on the network.