windows 2008 nps with cisco wireless 4400

my setup is 1 windows 2008R2DC  1 windows 2008R2 NPS Radius installed 1 cisco wireless controller  4400 and 2access point
my question is as following
1- i need 2 laptop to get Authenticated throw radius but not join to domain
2- also 2 laptop i need them to authenticated throw radius also join to domain

what i have to do in 1 in 2 what step i have to follow as i found many artical
Cool GuyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Before providing any advice, it would be helpful if you could clarify what you're looking for.
1) Are you looking for help setting everything up from scratch?
2) Is the NPS already configured and working?
3) Is the Cisco controller already configured and the access points are talking to it?
4) What type of authentication are you using (PEAP, EAP-TLS, etc.)?
5) What OS are your laptops running?

Let us know what you have done so far, what isn't working, etc.
Jakob DigranesSenior ConsultantCommented:
for starters:

#1: If you want laptops to authenticate, but them not be domain joined, you don't have many options:
- You can only authenticate using either EAP-MsChap V2 (username and password) or EAP-TLS using user enrolled certificates.
#2: Here you can use either Eap-MsChap V2 or EAP-TLS machine and or user certificates. YOu should however deploy 2-factor authentication authenticating both machines and logged on users
Cool GuyAuthor Commented:
i need to run it from scratch can i run it with out CA for domain and non domain also
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Cool GuyAuthor Commented:
1) Are you looking for help setting everything up from scratch?
2) Is the NPS already configured and working?
i have installed but i have some issue with non domain client.
3) Is the Cisco controller already configured and the access points are talking to it?
yes it working fine with preshared key
4) What type of authentication are you using (PEAP, EAP-TLS, etc.)?
i need to work only if it is possible with CA or with out CA .
5) What OS are your laptops running?
windows 7

Can't help you with configuration of the Cisco.  But I would say that you want to use PEAP (and not the Cisco version).  If you only authenticate by user, you can use PEAP with MSChapv2 which only requires a username and password.  Machines will automatically try to use the credentials of the logged on user, which is fine for domain computers.  For non-domain computers, you will want to edit the properties of the wireless connection
shot1Click on the Settings button.  For better security, you can enter the name of the NPS server in the "Connect to these servers field", and also specify a root certificate from a CA that the NPS will be using.  I've never tried setting it up without the NPS having a machine certificate.  But whether the certificate comes from your own CA or is purchased from a publicly trusted third party shouldn't matter, and it's the only certificate you'll need.
shot2Then click on the Configure button, and make sure that the box is unchecked (this is for non-domain computers).
Cool GuyAuthor Commented:
but how to install ca certificate in windows nps server at first , how to do it still i have problem from server server
thanx for your support footch
You either set up your own CA and from the NPS request a certificate from it, or buy one from a third party that matches the name of your NPS and then install it in the machine certificate store.  Which way have you decided to go?  From your previous posts it sounds like you're leaning towards a 3rd party.  Do you not know how to buy one from them?  Choose one (like GoDaddy), and their site will have all the information you need to purchase one.
Cool GuyAuthor Commented:
i mean i have to request it from nps server then mmc --> certificate--> request or throw web

2- or i have to request it from ca root server which way is correct ..

3- for the client what i have to for non domain , do i have to export it from client joint to domain or from ca root server
Cool GuyAuthor Commented:
1- i have windows nps as memeber server , how to request from the certificate , which way web or command or console , and how to do it.
2- regarding client how to export the certificate and from which server i have to export it. for non domain client.
You haven't answered my question about what CA you will be using (your own or 3rd party), or if you have I can't find your answer.  Once you do I may be able to help you further with generating the CSR.
Cool GuyAuthor Commented:
self sign CA local one
1-how to get the ca certificate for nps server
2-then how to prepare ca certifcate for non domain and domain clients.
With your own CA, you can do the following:
 - on the NPS, open the MMC console and add the certificates snap-in for the local computer
 - go to Personal, right-click and select All Tasks > Request New Certificate.  Follow the prompts to automatically get your certificate.

You don't have to distribute or create a certificate for the clients.  The certificate is only for the NPS.
Cool GuyAuthor Commented:
still not clear for ca am not able to get ca

can you make it clear , as i told i have 1 -nps server and 1- dc 1-wireless controller

i need only the wl non join domain client to access the wireless with AD user ,for the congiuration do i required certificate to install in the nps server and what type of certificate i need for this.
Since you mentioned that you would be using your own CA, I assumed that you already had your own CA set up.

Maybe this will help you.  It provides a walk-through on installing AD Certificate Services to create your own CA (there's also a part 2 and 3 on the site).

Here's another guide I have used in the past.  Skip to the section "Installing Certificate Services" since you already have a DC installed.
Once it gets to the section "Installing Network Policy and Access Services", you don't have to install the Routing and Remote Access Services like is shown, but follow the rest.

Both of the above guides should also help you with how to configure the NPS to work with your Cisco controller as the concepts should be the same.
Cool GuyAuthor Commented:
what kind of certificate i have to create for nps server for example in my case i need non domain user to access wireless
Cool GuyAuthor Commented:
in the second link my question issue certificate how to do it , still i have this issue
Cool GuyAuthor Commented:
can you contact me at
The certificate for the NPS is the same whether it's a domain or non-domain computer connecting to it.  After the CA is installed, and you follow the process of requesting a certificate through the MMC that I mentioned a couple posts ago you will have a certificate with the correct intended purposes (server authentication).  If I'm misunderstanding you, I'm sorry.  Maybe there's a language barrier.

The guides I posted are pretty comprehensive.  If you're unable to follow them then I think the assistance you need is beyond what can be provided in this forum, and you will have to hire someone to come help you.  Sorry but I limit my involvement to what I can contribute here, so no email communication.
Cool GuyAuthor Commented:
than footech for you greet commant
for the ca this
is must or what.
It's not a must, but if you want to configure certificate autoenrollment for NPS servers it's a useful guide.  If you had a lot of certificates to request and issue, then autoenrollment could save you a lot of time and hassle.  In your case, since you only have one NPS, you can just request the certificate manually.
Cool GuyAuthor Commented:
after my login from my wireless i got this error in nps event log
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

      Security ID:                  NULL SID
      Account Name:                  980c8249f585
      Account Domain:                  xyz
      Fully Qualified Account Name:      xyz\980c8249f585

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            00-1a-6c-5f-84-c0:cisco-WL
      Calling Station Identifier:            98-0c-82-49-f5-85

      NAS IPv4 Address:  
      NAS IPv6 Address:            -
      NAS Identifier:                  cisco-WLC
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  1

RADIUS Client:
      Client Friendly Name:            ciscowl
      Client IP Address:        

Authentication Details:
      Connection Request Policy Name:      Use Windows authentication for all users
      Network Policy Name:            -
      Authentication Provider:            Windows
      Authentication Server:  
      Authentication Type:            Unauthenticated
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  8
      Reason:                        The specified user account does not exist.

also some time i got this error.
A RADIUS message was received from the invalid RADIUS client IP address

this is not my radius client ip address.

also i have attached my current configuration still not working  .
Cool GuyAuthor Commented:
if see account name it display some number not my ad account.
You've got a lot of conditions for your network policy.  Why don't you try something simpler and get it to work before adding so many (see attached).
NPS settings
Cool GuyAuthor Commented:
i have did the same but still unable to connect to the wl and am getting the same error message every time...sorry again to ask you can  but i did this configuration with self sign certifcation.......what step i have to do if i want it with user name and password... i don't need certification ,,,,,,,,, coz i read in artical i have to install certificate in nps server so what you say about it.
Cool GuyAuthor Commented:
finally done i have change the security type in wireless controller to 802.1x and also in my laptop also but i have installed the certificate in the laptop but am able to connect to the wireless even i didn't select validate the certificate , how can i restricted to use ca with username.
For PEAP authentication, you need a couple things:
 - To authenticate or confirm the validity of the server you need a certificate for the server (installed on the NPS)
 - To authenticate the client you need a username and password.

If you have your NPS configured correctly, you will only need to provide a username and password to authenticate the client.  However, the clients will also need to trust your root certificate (i.e. have it installed in the Trusted Root Certification Authorities store for the local computer).  Your domain computers should get this automatically.  If not, create a GPO to deploy the root certificate.  Your non-domain computers will need the certificate to be imported manually.

Here's a link to a guide that describes the various settings for your wireless connection.  It's a little bit dated, but the content is still good.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
  I am looking for similar solution as leganti, but in my case I want to allow wireless access to certain groups in AD and should be member of same domain.
I have configured NPS and access point as well. It working fine when the condition is user group on NPS, but in this case any computer (Windows 8) which are not part of the domain can also connect by just entering domain user credential. I want to restrict the access to certain groups in AD and that should be member of Domain..
Need some help from you guys....
@Kris_Zawisza - Please ask as a new question.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.