Solved

Meraki & NPS server - cert is enough? Wireless GPO not needed?

Posted on 2013-12-11
10
951 Views
Last Modified: 2013-12-13
This is more of a conceptual question.

We have setup Meraki with Windows 2008-R2 NPS server, Windows certificate server and a GPO. The setup is working.

There are two parts of GPO, one is to enroll the certificate, and other is to define "Wireless Network (IEEE 801.X) Policies".
It so happens that default domain policy also allows automatic enrollment of certificates, so all machines get the certificate whether or not this "Meraki" GPO applies to them.

We find that any machine is able to connect to wireless network as long as it is in Windows group specified in NPS's Network Policy. In other words, "Wireless Network (IEEE 801.X) Policies" of GPO seem not to be needed. Having a certificate seems enough.

How is that possible? NPS Policy configuration is very similar to "Wireless Network (IEEE 801.X) Policies" GPO configuration but should not both of them be necessary for a user or computer to logon to wireless network? Thanks.
0
Comment
Question by:Akulsh
  • 5
  • 4
10 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39712644
Are you applying the Wireless settings policy to the Default Domain Policy?  If so, all machines will receive the policy anyway.

You should create a security group for the machines you want to allow to connect via the policy, create a new GPO for the wireless policy, then specify the security group in the security tab of the GPO.
0
 
LVL 21

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 200 total points
ID: 39712752
@CraigBeck --- True That :-)

Also - you can edit Certificate template to auto enroll only to the same security group. Should really not use Domain Computers/Domain Users to that
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39712930
CraigBeck,

No, the Wireless GPO is only applied to the OU where wireless laptops are. (My question stated that Wireless GPO does not seem to be required, implying that it is not part of any domain-wide policy.)

I already have a security group for the machines which need to connect via wireless. I don't see any point in creating a new GPO for the wireless policy since current GPO is only applied to an OU and only available to members of the security group.
-

Jakob_di,
You are correct. I can edit Certificate template to auto enroll only by the security group of permitted wireless laptops. However, it is a bit late unless I revoke all issued certs.
-

More to the point, why is the Wireless policy thru GPO not needed? The Network policy settings for wireless access in NPS server seem to be enough. I hope someone can enlighten me on this. Thanks.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716330
@Akulsh, the OP didn't state that the GPO is only applied to the OU where the laptops are... it's not obvious that if it's not part of the Default Domain Policy that it must be attached to the correct OU.

The fact that laptops don't need a GPO isn't really an issue, as long as the laptops correctly detected the requirements for the WLAN.  Usually a GPO is needed to specify settings which aren't default, and to make the laptop connect automatically without the user selecting the network manually.

If you remove the link to the GPO from the OU where the laptops are, then reboot the laptop, are you still able to connect?
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39716652
Yes, when we remove the link to the GPO from the OU where the laptops are, then reboot the laptop, we are able to connect.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716877
Ok.  What settings does your NPS policy require?
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39717652
I followed this link step by step:

RADIUS: Creating a policy in NPS to support PEAP-MSCHAPv2 machine authentication
http://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-peap-mschapv2---machine-authentication
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39717680
So that's just telling me what I've already said.  The laptop was able to detect the type of network and its requirements, and used its computer certificate to authenticate.

The NPS policy conditions specify 'who or what' the policy applies to.  So, if the laptop is a domain member it will match the policy - that's what you'd expect.  The GPO is just a way of getting the correct settings to the client - they're not part of the security as such.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39717976
Coming back to my original question:  Is the "Wireless Network (IEEE 801.X) Policies" GPO not needed?

You seem to say, yes, it is not needed. Then why bother with it?
Are there situations where it is needed to have the laptop correct settings? Thanks.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 200 total points
ID: 39717995
Yes, there are times where it is needed - such as when you want to actually dictate what wireless networks are available to the client.

If, for example, you want to allow the client to connect to only specific SSIDs on the corporate network, you would use a GPO.

You could also use a GPO if you wanted to completely lock-down the wireless settings so the user couldn't take the laptop and use it at home.

There are many reasons why you would want to use a GPO - but the main point in a GPO is that it's a set of configuration parameters which give the administrator control, not the user.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best Practice for moving Offline Files from one server to another 4 42
2003 Server DNS/FS errors 6 50
exchange powershell question 5 34
Some devices won't connect to AP 2 25
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question