Windows NPS certificate issue

I  have setup several Cisco's 2911 Wifi AccessPoints, they are setup to use domain server authentication against a Win08R2 DC with NPS roled installed.

I have it set to allow connection if any of the following requirements are met:

1-computer already belongs to the domain
2-valid domain user/pass (allow apple ios devices to connect)

it works great if you are already part of the Domain

but if a computer that doesnt belong tries to connect (a guest, for example), after entering VALID domain credentials, the connection fails, event viewer indicates it cant find a valid vertificate to allow the connection.
so... it wants a certificate to be installed on the computer before it allows the connection EVEN when the user/pass is correct for the domain user.

Ive been manually installing the certificates but i rather it just works by authenticating the username/pass the user enters when attempting the connection to the AP.

how can i get rid of the certificare requirement? (and not have to modify settings on currently connected computers)
ComptxAsked:
Who is Participating?
 
footechCommented:
Perhaps you're right, but it works.

One of the premises behind PEAP is to authenticate the server with a certificate.  To get around it you have to manually modify the connection properties to ignore this.  Your only other options (at least as far as I'm aware) are to use a PSK or captive portal for guest access, or to use a publicly trusted certificate for the NPS.
0
 
Jakob DigranesSenior ConsultantCommented:
have you chosen EAP-TLS or PEAP-MsChap V2 as authentication method on NPS?

if you want to use username/password choose EAP-MsChap V2 - but you can have both policies activated as inner authentication - remember to put EAP-TLS on top
0
 
ComptxAuthor Commented:
authentication methods are
Protected Eap [peap]
secured password [eap-mschap v2]
Less secure authentication methods : None checked
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
footechCommented:
I'm not sure if it's any less intrusive than copying the certificate over, but you if you modify the properties of the wireless connection > Security tab > Configure (next to dropdown with MS PEAP selected) > Uncheck the box for "validate server certificate", then non-domain machines can connect.
0
 
ComptxAuthor Commented:
windows wont add the connection to the list until its successfully able to connect, to i cant access the properties of the connection
0
 
ComptxAuthor Commented:
i havent tried jacobs response yet, i will try it today and see if that fixes the issue
0
 
footechCommented:
You can manually add the connection.  You will just have to enter the correct SSID, Security type, and Encryption type.  After clicking Next you will be able to change the connection settings.
0
 
ComptxAuthor Commented:
footech, that task will be nearly impossible for your regular non computer savy user.
0
 
ComptxAuthor Commented:
ok, tried only having  EAP-MsChap V2 by itself, but then no device, windows, mac, or ios would connect. just fails after entering user/password

also tried using :less secure methods"
such as ms-chap-v2 by itself with same results.
0
 
Jakob DigranesSenior ConsultantCommented:
Log on to NPS ans look in security logs in event viewer why users aren't authenticated using PEAP-MsChap V2
0
 
ComptxAuthor Commented:
sorry for the delay. will try the public certificate. thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.