Guest computers joined to a different domain cannot connect to our Radius WIFI.


We have setup wifi in our office that uses radius authentication using NPS.  It works great and we have no problem connecting devices that are not even on our network (iPads, Androids, etc).

The issue is if a guest has a laptop that is joined to a different domain, they cannot connect to the wifi using our guest credentials.  No error other than "unable to join 'ourSSIDname'".

Any ideas?

Attached is a stripped down version of our running config from the AP.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There is a good chance that the PC's do not trust the server certificate on your NPS server. This is normal. To get around this, you have one of two choices that I can think of quickly.
Install and configure a true trusted third party certificate on your NPS server so that all computers trust the cert
Edit the wireless network profile on the guest pc for your SSID. Go to Manage Wireless Networks, highlight your SSID and choose properties. Go to the Security tab, and under network authentication method make sure peap is selected and then click settings. You will need to uncheck "validate server certificate", and also you may need to click "configure" under the select authentication method to uncheck the "automatically use my Windows logon name and password" box.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
Is this because you've configured a 'guest' user account in your Active Directory which you want guests to use?  If so, this is because the guests are sending the wrong domain-name in the authentication request.

If this is the case you won't be able to do what you want as you'll need to manipulate the inner-EAP request and that's something you can't do AFAIK.
paradigm_ISAuthor Commented:
My apologies for not getting back to this thread sooner.

I think rauenpc and craigbeck are on the right track. I think it has to do with trusting the the NPS server.

Our domain joined computers automatically trust it due to the fact they are joined to the domain, which is itself a trust relationship.

Installing a 3rd party cert might be the way to go.

However, I am running into another problem on my test pc that is joined to a different domain.  I have local administrator permissions, yet I cannot view the properties of wireless networks in range.

Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Craig BeckCommented:
Even if you are a local admin, that doesn't automatically give you the right to view wireless networks if a GPO explicitly stops this.

Back to the original problem...
Installing a 3rd party cert might be the way to go.
This won't help.  The client device will still be sending its own domain suffix in the authentication request.  As I said previously, you can't manipulate or strip the domain in an EAP request so you'll have to use a user/pass to authenticate instead of the computer credentials.
paradigm_ISAuthor Commented:
Actually, we want to have users provide authentication rather than rely on the computer to provide credentials. I thought that is how I had configured this but I guess not.   :-(

Can you point me in the direction of how I need to change our config to have user's provide the credentials and not the computer?
Craig BeckCommented:
Ok you'll have to manually configure the client's wireless profile.

You need to:

1] Untick the "Validate Server Certificate" box,
2] Untick "Automatically use my Windows Logon Name" box.

See here (but don't validate the server certificate as this link suggests)...
paradigm_ISAuthor Commented:
Well that takes me back to the problem that some (or most) people who need guest access to our wifi, don't have access to the properties of the wireless profile of networks listed on their computer.  Which they would need to make the changes to the wireless profile.

I'm researching this too, but your help is appreciated.

paradigm_ISAuthor Commented:
I think this as close as we are going to get to a solution, as long as the guest laptop allows access to edit the wifi profile.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Applications

From novice to tech pro — start learning today.