Configure IGEL wifi SCEP with NDES Part 1

We want to connect our Laptops to our Corporative WIFI Network, but we want to do it, thinking about Security.

So first, this is what you need:

Internal RootCa
NDES Server
Configure Igel Profile.

SCEP (Simple Certificate Enrollment Protocol) is a way of automatically enrolling the certificates, in this case, we are going to use it for devices authentificating. We will use HTTP requests to get root certificates, also to send certificate requests, and to get client certificates from the server.

We need to add a new server with the NDES role:

The service is implemented as an ISAPI extension. It requires IIS to be installed on the same computer. It does not require the CA to be installed on the same computer.

The Internet Server API (ISAPI) extension runs in its own application pool: SCEP. This application pool is created during setup and is configured to run with the credentials that were provided during setup.

The SCEP specification does not require devices to support Secure Socket Layer (SSL). However, the process of retrieving a one-time password from the service should be protected using SSL. Therefore, setup will create two virtual applications – one for the device and one for the administrator. The cloud security is of much importance these days. The penetration testing for OT networks is very much necessary these days.

http://localhost/certsrv/mscep Devices use this location for all communication.
http://localhost/certsrv/mscep_admin Administrators use this location to retrieve enrollment passwords.

You have all the info about NDES here.

Unmark Certification Authority, click Network Device Enrollment Service, click Add Requiered Role Services

When the installation has finished, a warning message about NDES configuration is showed.

Here we must configure the Administrator account which you want to use.

Now, you must uncheck all and just select Network Device Enrollment Service.

We choose Use the built-in application pool identity.

On the Specify CA page, select either the CA name or Computer name check box, click Browse to locate the CA that will issue the Network Device Enrollment Service certificates, TEST_CA, and click Next.
On the Specify Registry Authority Information page, type the RA name. Provide optional information as required by your organization’s security policy.
On the Configure Cryptography page, specify the cryptographic service provider (CSP) and key length settings required by your security policy and supported by your network device, or accept the default values, and click Next.
Review the summary of configuration options, and click Install.

Now in your Root CA :

Open Certificate Templates Console.
Select Computer Template.
Duplicate Template and select the name you want to identify this “SCEPComputer“.

We have to complete the Validity Period we want, and if we want to publish it in Active Directory

Change this setting in the Subject Name

We must provide a Minimum key Size (default is 1024)

We have to remove Server Authentication, because we are going to use it for Client Authentication. For doing this just push in EDIT and Remove it from the list.

You must add the NDES Server Computer Account and give it Enroll Permissions

Change this registry keys to the new certificate template name you have created before in the CA “SCEPComputer”

We are Reusing a password for multiple devices, becasue of that we need to make some changes:

1. Configure service to function in a single-password mode by creating a REG_DWORD value UseSinglePassword and setting it to 0x1.

2. Give Full Control permission to the account used to run NDES for the HKEY_LOCAL_MACHINEMicrosoftCryptographyMSCEP registry key.

3. In the IIS Manager snap-in, navigate to the SCEP application pool and in Advanced Settings set Load User Profile to true.

If you’ve configured NDES to run under some user account, logon interactively with that user account onto the machine where NDES is installed to force the creation of a user profile for that account. This is a one-time operation, the user doesn’t need to stay interactively logged on while NDES is running. To prepare the NDES service account profile:

On the NDES server, open Internet Information Services (IIS) Manager.
In the Connections pane, expand the Web server running the NDES service.
In the Connections pane, click Application Pools.
In the Application Pools pane, click SCEP.
In the Actions pane, click Advanced Settings.
In the Advanced Settings dialog box, under Process Model, configure Load User Profile to True. Click OK.
In Application Pools, right-click SCEP and then click Stop.
Sign off the NDES server.
Sign on using the NDES user account. The NDES service account user profile is created.
Sign off the NDES server.
Sign on the NDES server using an account that is a member of local Administrators.
Open Internet Information Services (IIS) Manager, expand the Web server object, and then select Application Pools.
In the Application Pools pane, right-click SCEP and then click Start.

We change Password length. This configuration can be changed by modifying the PasswordLength registry key.

We will change it to its double value to add more security.

Finally we go to this url http://localhost/certsrv/mscep_admin and here we have the values that we will need later por the Igel profile configuration.