Solved

Windows NPS certificate issue

Posted on 2012-04-09
11
349 Views
Last Modified: 2012-06-21
I  have setup several Cisco's 2911 Wifi AccessPoints, they are setup to use domain server authentication against a Win08R2 DC with NPS roled installed.

I have it set to allow connection if any of the following requirements are met:

1-computer already belongs to the domain
2-valid domain user/pass (allow apple ios devices to connect)

it works great if you are already part of the Domain

but if a computer that doesnt belong tries to connect (a guest, for example), after entering VALID domain credentials, the connection fails, event viewer indicates it cant find a valid vertificate to allow the connection.
so... it wants a certificate to be installed on the computer before it allows the connection EVEN when the user/pass is correct for the domain user.

Ive been manually installing the certificates but i rather it just works by authenticating the username/pass the user enters when attempting the connection to the AP.

how can i get rid of the certificare requirement? (and not have to modify settings on currently connected computers)
0
Comment
Question by:Comptx
  • 6
  • 3
  • 2
11 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
have you chosen EAP-TLS or PEAP-MsChap V2 as authentication method on NPS?

if you want to use username/password choose EAP-MsChap V2 - but you can have both policies activated as inner authentication - remember to put EAP-TLS on top
0
 

Author Comment

by:Comptx
Comment Utility
authentication methods are
Protected Eap [peap]
secured password [eap-mschap v2]
Less secure authentication methods : None checked
0
 
LVL 39

Expert Comment

by:footech
Comment Utility
I'm not sure if it's any less intrusive than copying the certificate over, but you if you modify the properties of the wireless connection > Security tab > Configure (next to dropdown with MS PEAP selected) > Uncheck the box for "validate server certificate", then non-domain machines can connect.
0
 

Author Comment

by:Comptx
Comment Utility
windows wont add the connection to the list until its successfully able to connect, to i cant access the properties of the connection
0
 

Author Comment

by:Comptx
Comment Utility
i havent tried jacobs response yet, i will try it today and see if that fixes the issue
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 39

Expert Comment

by:footech
Comment Utility
You can manually add the connection.  You will just have to enter the correct SSID, Security type, and Encryption type.  After clicking Next you will be able to change the connection settings.
0
 

Author Comment

by:Comptx
Comment Utility
footech, that task will be nearly impossible for your regular non computer savy user.
0
 

Author Comment

by:Comptx
Comment Utility
ok, tried only having  EAP-MsChap V2 by itself, but then no device, windows, mac, or ios would connect. just fails after entering user/password

also tried using :less secure methods"
such as ms-chap-v2 by itself with same results.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
Comment Utility
Perhaps you're right, but it works.

One of the premises behind PEAP is to authenticate the server with a certificate.  To get around it you have to manually modify the connection properties to ignore this.  Your only other options (at least as far as I'm aware) are to use a PSK or captive portal for guest access, or to use a publicly trusted certificate for the NPS.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
Comment Utility
Log on to NPS ans look in security logs in event viewer why users aren't authenticated using PEAP-MsChap V2
0
 

Author Closing Comment

by:Comptx
Comment Utility
sorry for the delay. will try the public certificate. thanks
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now