EAP-TLS for Wireless with Active Directory

Question

My question is more from a conceptual point of view, rather than implementation (even though I'm asking about proprietary protocols and products).

Assuming I have users and credentials set up in my Active Directory. Users can log in to their desktops using those credentials.

As far as I understand it, I can use Microsoft NPS as a RADIUS server and configure PEAP mode so that users (from a wireless device) are prompted to enter their credentials, which are transferred encrypted (using a server digital certificate) from the wireless device to the RADIUS server.

1) How are the credentials transferred from the RADIUS Server to the AD (assume different servers in different VLANS)? Or is the RADIUS just a pass-through and it is the AD that can decrypt the credentials?

2) If I want to use EAP-TLS instead (assuming a client certificate was issued for each wireless device), does the client certificate map to a user in AD? If so, where is the mapping done and how is the communication between RADIUS and AD?

Answer 1

NPS as Radius server uses the Active Directory to perform authentication.

1. When using PEAP (MSCHAPv2), the client sends the radius server a hash of its password. This hash is eventually compared to the contents of the directory (no decryption here). You could consider NPS as some sort of passthrough here. I can't see why communication between both couldn't cross VLAN boundaries. My guess is that communications between NPS and AD are encrypted

2. When using EAP-TLS, NPS will examine the certificate presented by the client and verify it against a set of requirements (e.g. has it been revoked or not?). This verification may involve communication with AD Certificate Services (revocation check).

   If NPS finds that the certificate is valid, than it considers that the subject is authenticated. The subject is named in the certificate presented by the client, and is typically the Distinguished Name of the user in Active Directory (this is the mapping of the certificate to the user in Active Directory).