Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, March 15, 2011 12:46 PM
Hi There,
I have configured a cisco access point using RADIUS as authentication from a win2k8 R2 DC. Connecting from a domain-joined machine with a user already logged in works fine, but the issue we have is from non-domain machines (including iphones & blackberries) is it won't prompt for domain credentials. where/how can I configure this on NPS?
Thanks for your help in advance
Ben
All replies (20)
Wednesday, March 16, 2011 8:39 PM âś…Answered
Hi there -
You can configure authentication in NPS network policies. The most secure authentication is EAP-TLS or PEAP-TLS, however those are somewhat difficult to deploy because you must deploy certificates either via smartcards or by enrolling/installing a certificate that is issued to the user (for non-domain joined machine use). The certification authority (CA) that issues the user certificate must also be the CA that issued the server certificate to your NPS server.
Another option is to use PEAP-MS-CHAPv2, which requires a server certificate on the NPS server, but allows users to type in domain credentials (user name and password) to log on to the network. Even with this authentication method though the CA certificate must be in the Trusted Root Certification Authorities store on the client so that the client trusts the NPS server.
If you're interested in either of these methods, there are some good deployment guides - see the server certificates guide and user and computer certificates guide at Core Network Guides for Windows Server 2008 R2. These guides describe using autoenrollment of certificates, which will work for you for server certificates; but you will need to review the AD Certificate Services documentation for information on enrolling certificates to non-domain member computers if you want to deploy user certificates.
Thanks -
James McIllece
Wednesday, March 16, 2011 9:22 AM
Hi Ben,
802.1x wireless authentication contains Password-Based and Certificates authentication. You could use either of these two methods. I recommend using EAP-TLS or PEAP-TLS Certificates for non-domain machines (including iphones and blackberries)
NPS Authentication Methods
http://technet.microsoft.com/en-us/library/cc731694(WS.10).aspx
Regards, Rick Tan
Thursday, March 17, 2011 4:17 PM
Thanks for your helpful answers guys, I got it configured successfully
Thursday, March 22, 2012 4:40 AM
help!
i need to get this working also...
wanting to authenticate guests via Radius , Win2K8, NPS using Ad credentials for mobile devices
Thursday, March 22, 2012 9:52 AM
Hey, it was fairly to get this working, but I needed a fresh NPS server, as the other one was doing VPN authentication, and I couldn't get the policies to play nicely together. Feel free to email me if you want some help!
Thursday, March 22, 2012 10:37 AM
hey benny
would love some help..
we are just interested in getting access for guests, using non domain laptops, and mobile devices
setup
3 x DCs 2008 R2
1 of these has the NPS role installed
we have a wifi unit which is setup and configured to talk to the NPS
Thursday, March 22, 2012 10:44 AM
For guest access, may I ask why you want them to authenticate to the domain? would you not be better off allowing WPA auth on the access point then VLAN'ing that traffic and isolating it from your internal network?
Thursday, March 22, 2012 10:46 AM
using WPA is a bit basic for our liking..
we would prefer them to authenticate with an AD account setup as guest for internet access only.
Thursday, March 22, 2012 11:12 AM
OKay so what access point are you using? Are your internal users able to authenticate successfully on domain machines?
Thursday, March 22, 2012 9:11 PM
our access point is a wireless unit (no real name brand)
we haven't been able to get internal users working yet either
Friday, March 23, 2012 4:27 PM
Please can you tell me, with as much detail as possible, how your NPS and AP are configured? Feel free to email if you don't want to post it here
Sunday, March 25, 2012 9:52 PM
Hey Benny whats your email address?
Monday, March 26, 2012 5:20 PM
BG @ <mycompanyname>.com
Friday, August 3, 2012 8:45 AM
This is precisely my situation as well, could you guys post your findings?
Regards
Sebastian Burrell
MCP, MCTS
Friday, August 3, 2012 10:39 AM
Best to start checking out your AP configuration Seb, that was the issue for both of us in the end
Tuesday, June 11, 2013 6:41 AM
Hi,
I need your help.
In our organization on DC I installed Network Access Protection service.
We have two-tier CA in our organization.
I added Cisco router as RADIUS client.
Domain computers can connect to network without any problem.
I want to achieve that domain machines and non-domain machines can connect to network only if they have certificate.
I dont know how to setup things so that non-domain machines can connect to network.
What type of certificate we need to use and how to do request on CA for non-domain machines.
Please help.
Tuesday, June 11, 2013 9:51 PM
Hi there -
This excerpt from the article Network access authentication and certificates at http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx might be helpful:
Non-domain member certificate enrollment
Certificate enrollment for computers that are not domain members cannot be done with auto-enrollment. When a computer is joined to a domain, a trust is established that allows auto-enrollment to occur without administrator intervention. When a computer is not joined to a domain, trust is not established and a certificate is not issued. Trust must be established using one of the following methods:
- An administrator (who is, by definition, trusted) must request a computer or user certificate using the CA Web enrollment tool.
- An administrator must save a computer or user certificate to a floppy disk and install it on the non-domain member computer. Or, when the computer is not accessible to the administrator (for example, a home computer connecting to an organization network with an L2TP/IPSec VPN connection), a domain user whom the administrator trusts can install the certificate.
- An administrator can distribute a user certificate on a smart card (computer certificates are not distributed on smart cards).
Many network infrastructures contain VPN and IAS servers that are not domain members. For example, a VPN server in a perimeter network might not be a domain member for security purposes. In this case, a computer certificate with the server Authentication purpose contained in the EKU extensions must be installed on the non-domain member VPN server before it can successfully negotiate L2TP/IPSec-based VPN connections with clients. Note that if the non-domain member VPN server is used as an end point for a VPN connection with another VPN server, EKU extensions must contain both the server Authentication and Client Authentication purposes.
James McIllece
Tuesday, June 11, 2013 9:54 PM
Also, the Core Network Companion Guide: Deploying Computer and User Certificates demonstrates how to deploy certificates to domain joined computers. The version of this guide for Windows Server 2008 is at http://technet.microsoft.com/en-us/library/ee407543(WS.10).aspx
Thanks -
James McIllece
Tuesday, June 25, 2013 12:38 PM
Thank you for links!
Is there any step by step guide how to setup this (setup for authentication only with certificate and for non-domain computers) ?
Tuesday, June 25, 2013 5:19 PM
Not that I'm aware of.
Thanks -
James McIllece