Link to home
Start Free TrialLog in
Avatar of paradigm_IS
paradigm_IS

asked on

Guest computers joined to a different domain cannot connect to our Radius WIFI.

Hi.

We have setup wifi in our office that uses radius authentication using NPS.  It works great and we have no problem connecting devices that are not even on our network (iPads, Androids, etc).

The issue is if a guest has a laptop that is joined to a different domain, they cannot connect to the wifi using our guest credentials.  No error other than "unable to join 'ourSSIDname'".

Any ideas?

Attached is a stripped down version of our running config from the AP.
config-cleaned.txt
ASKER CERTIFIED SOLUTION
Avatar of rauenpc
rauenpc
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Is this because you've configured a 'guest' user account in your Active Directory which you want guests to use?  If so, this is because the guests are sending the wrong domain-name in the authentication request.

If this is the case you won't be able to do what you want as you'll need to manipulate the inner-EAP request and that's something you can't do AFAIK.
Avatar of paradigm_IS
paradigm_IS

ASKER

My apologies for not getting back to this thread sooner.

I think rauenpc and craigbeck are on the right track. I think it has to do with trusting the the NPS server.

Our domain joined computers automatically trust it due to the fact they are joined to the domain, which is itself a trust relationship.

Installing a 3rd party cert might be the way to go.

However, I am running into another problem on my test pc that is joined to a different domain.  I have local administrator permissions, yet I cannot view the properties of wireless networks in range.

thanks
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Even if you are a local admin, that doesn't automatically give you the right to view wireless networks if a GPO explicitly stops this.

Back to the original problem...
Installing a 3rd party cert might be the way to go.
This won't help.  The client device will still be sending its own domain suffix in the authentication request.  As I said previously, you can't manipulate or strip the domain in an EAP request so you'll have to use a user/pass to authenticate instead of the computer credentials.
Avatar of paradigm_IS
paradigm_IS

ASKER

Actually, we want to have users provide authentication rather than rely on the computer to provide credentials. I thought that is how I had configured this but I guess not.   :-(

Can you point me in the direction of how I need to change our config to have user's provide the credentials and not the computer?
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Ok you'll have to manually configure the client's wireless profile.

You need to:

1] Untick the "Validate Server Certificate" box,
2] Untick "Automatically use my Windows Logon Name" box.

See here (but don't validate the server certificate as this link suggests)...

https://supportforums.cisco.com/docs/DOC-17544
Avatar of paradigm_IS
paradigm_IS

ASKER

Well that takes me back to the problem that some (or most) people who need guest access to our wifi, don't have access to the properties of the wireless profile of networks listed on their computer.  Which they would need to make the changes to the wireless profile.

I'm researching this too, but your help is appreciated.

thanks
Avatar of paradigm_IS
paradigm_IS

ASKER

I think this as close as we are going to get to a solution, as long as the guest laptop allows access to edit the wifi profile.

Thanks.