Hello All,
I am trying to sort out some issues with certificate OID's in our PKI environment. The background is we are in production with our wifi using EAP-TLS. Everything is working great and has been for months. Some of our architects suggested that we could assign
unique OID's to the certificates that would represent different parts of the organization. For instance, Human resources would have one OID, Claims would have its own OID, and so forth. It was then suggested that we could use NPS to check for these individual OID's
using the "Allowed-certificate-OID" setting and then act upon them as we wanted, like putting them onto different VLAN's. So my first question is, is this even possible?
Our CA is provided by our ISP. I spoke to the CA admin there and he created a new TEST template and published it. I can validate the users are getting this new certificate and I see the OID he assigned on the "Detail" tab of the certificate's
properties page. On the "General" tab
it shows server authentication, client authentication and then simply shows the OID number. Just the number... doesn't state what it's for.
On the "Detail" tab, the "EKU" field which shows the same purposes listed on the General tab and then once again on the "Application Policy" field.
So, armed with the new certificate, I opened the NPS console and edited the "Network Policy". In the "Settings" tab, under the "Radius Attributes" heading, I added a new "Vendor Specific" attribute, selected "Allowed-Certificate-OID" and entered the new OID.
This did not work. Clients cannot connect. Log's show:
"The Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. Rejected." Which brings my second question... Does anyone see where this went wrong? Thanks so much for any assistance! Mike |