Solved

Meraki & NPS server - cert is enough? Wireless GPO not needed?

Posted on 2013-12-11
10
958 Views
Last Modified: 2013-12-13
This is more of a conceptual question.

We have setup Meraki with Windows 2008-R2 NPS server, Windows certificate server and a GPO. The setup is working.

There are two parts of GPO, one is to enroll the certificate, and other is to define "Wireless Network (IEEE 801.X) Policies".
It so happens that default domain policy also allows automatic enrollment of certificates, so all machines get the certificate whether or not this "Meraki" GPO applies to them.

We find that any machine is able to connect to wireless network as long as it is in Windows group specified in NPS's Network Policy. In other words, "Wireless Network (IEEE 801.X) Policies" of GPO seem not to be needed. Having a certificate seems enough.

How is that possible? NPS Policy configuration is very similar to "Wireless Network (IEEE 801.X) Policies" GPO configuration but should not both of them be necessary for a user or computer to logon to wireless network? Thanks.
0
Comment
Question by:Akulsh
  • 5
  • 4
10 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39712644
Are you applying the Wireless settings policy to the Default Domain Policy?  If so, all machines will receive the policy anyway.

You should create a security group for the machines you want to allow to connect via the policy, create a new GPO for the wireless policy, then specify the security group in the security tab of the GPO.
0
 
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 200 total points
ID: 39712752
@CraigBeck --- True That :-)

Also - you can edit Certificate template to auto enroll only to the same security group. Should really not use Domain Computers/Domain Users to that
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39712930
CraigBeck,

No, the Wireless GPO is only applied to the OU where wireless laptops are. (My question stated that Wireless GPO does not seem to be required, implying that it is not part of any domain-wide policy.)

I already have a security group for the machines which need to connect via wireless. I don't see any point in creating a new GPO for the wireless policy since current GPO is only applied to an OU and only available to members of the security group.
-

Jakob_di,
You are correct. I can edit Certificate template to auto enroll only by the security group of permitted wireless laptops. However, it is a bit late unless I revoke all issued certs.
-

More to the point, why is the Wireless policy thru GPO not needed? The Network policy settings for wireless access in NPS server seem to be enough. I hope someone can enlighten me on this. Thanks.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716330
@Akulsh, the OP didn't state that the GPO is only applied to the OU where the laptops are... it's not obvious that if it's not part of the Default Domain Policy that it must be attached to the correct OU.

The fact that laptops don't need a GPO isn't really an issue, as long as the laptops correctly detected the requirements for the WLAN.  Usually a GPO is needed to specify settings which aren't default, and to make the laptop connect automatically without the user selecting the network manually.

If you remove the link to the GPO from the OU where the laptops are, then reboot the laptop, are you still able to connect?
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39716652
Yes, when we remove the link to the GPO from the OU where the laptops are, then reboot the laptop, we are able to connect.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716877
Ok.  What settings does your NPS policy require?
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39717652
I followed this link step by step:

RADIUS: Creating a policy in NPS to support PEAP-MSCHAPv2 machine authentication
http://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-peap-mschapv2---machine-authentication
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39717680
So that's just telling me what I've already said.  The laptop was able to detect the type of network and its requirements, and used its computer certificate to authenticate.

The NPS policy conditions specify 'who or what' the policy applies to.  So, if the laptop is a domain member it will match the policy - that's what you'd expect.  The GPO is just a way of getting the correct settings to the client - they're not part of the security as such.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39717976
Coming back to my original question:  Is the "Wireless Network (IEEE 801.X) Policies" GPO not needed?

You seem to say, yes, it is not needed. Then why bother with it?
Are there situations where it is needed to have the laptop correct settings? Thanks.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 200 total points
ID: 39717995
Yes, there are times where it is needed - such as when you want to actually dictate what wireless networks are available to the client.

If, for example, you want to allow the client to connect to only specific SSIDs on the corporate network, you would use a GPO.

You could also use a GPO if you wanted to completely lock-down the wireless settings so the user couldn't take the laptop and use it at home.

There are many reasons why you would want to use a GPO - but the main point in a GPO is that it's a set of configuration parameters which give the administrator control, not the user.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question