Solved

Meraki & NPS server - cert is enough? Wireless GPO not needed?

Posted on 2013-12-11
10
928 Views
Last Modified: 2013-12-13
This is more of a conceptual question.

We have setup Meraki with Windows 2008-R2 NPS server, Windows certificate server and a GPO. The setup is working.

There are two parts of GPO, one is to enroll the certificate, and other is to define "Wireless Network (IEEE 801.X) Policies".
It so happens that default domain policy also allows automatic enrollment of certificates, so all machines get the certificate whether or not this "Meraki" GPO applies to them.

We find that any machine is able to connect to wireless network as long as it is in Windows group specified in NPS's Network Policy. In other words, "Wireless Network (IEEE 801.X) Policies" of GPO seem not to be needed. Having a certificate seems enough.

How is that possible? NPS Policy configuration is very similar to "Wireless Network (IEEE 801.X) Policies" GPO configuration but should not both of them be necessary for a user or computer to logon to wireless network? Thanks.
0
Comment
Question by:Akulsh
  • 5
  • 4
10 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39712644
Are you applying the Wireless settings policy to the Default Domain Policy?  If so, all machines will receive the policy anyway.

You should create a security group for the machines you want to allow to connect via the policy, create a new GPO for the wireless policy, then specify the security group in the security tab of the GPO.
0
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 200 total points
ID: 39712752
@CraigBeck --- True That :-)

Also - you can edit Certificate template to auto enroll only to the same security group. Should really not use Domain Computers/Domain Users to that
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39712930
CraigBeck,

No, the Wireless GPO is only applied to the OU where wireless laptops are. (My question stated that Wireless GPO does not seem to be required, implying that it is not part of any domain-wide policy.)

I already have a security group for the machines which need to connect via wireless. I don't see any point in creating a new GPO for the wireless policy since current GPO is only applied to an OU and only available to members of the security group.
-

Jakob_di,
You are correct. I can edit Certificate template to auto enroll only by the security group of permitted wireless laptops. However, it is a bit late unless I revoke all issued certs.
-

More to the point, why is the Wireless policy thru GPO not needed? The Network policy settings for wireless access in NPS server seem to be enough. I hope someone can enlighten me on this. Thanks.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716330
@Akulsh, the OP didn't state that the GPO is only applied to the OU where the laptops are... it's not obvious that if it's not part of the Default Domain Policy that it must be attached to the correct OU.

The fact that laptops don't need a GPO isn't really an issue, as long as the laptops correctly detected the requirements for the WLAN.  Usually a GPO is needed to specify settings which aren't default, and to make the laptop connect automatically without the user selecting the network manually.

If you remove the link to the GPO from the OU where the laptops are, then reboot the laptop, are you still able to connect?
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39716652
Yes, when we remove the link to the GPO from the OU where the laptops are, then reboot the laptop, we are able to connect.
0
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39716877
Ok.  What settings does your NPS policy require?
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39717652
I followed this link step by step:

RADIUS: Creating a policy in NPS to support PEAP-MSCHAPv2 machine authentication
http://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-peap-mschapv2---machine-authentication
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39717680
So that's just telling me what I've already said.  The laptop was able to detect the type of network and its requirements, and used its computer certificate to authenticate.

The NPS policy conditions specify 'who or what' the policy applies to.  So, if the laptop is a domain member it will match the policy - that's what you'd expect.  The GPO is just a way of getting the correct settings to the client - they're not part of the security as such.
0
 
LVL 3

Author Comment

by:Akulsh
ID: 39717976
Coming back to my original question:  Is the "Wireless Network (IEEE 801.X) Policies" GPO not needed?

You seem to say, yes, it is not needed. Then why bother with it?
Are there situations where it is needed to have the laptop correct settings? Thanks.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 200 total points
ID: 39717995
Yes, there are times where it is needed - such as when you want to actually dictate what wireless networks are available to the client.

If, for example, you want to allow the client to connect to only specific SSIDs on the corporate network, you would use a GPO.

You could also use a GPO if you wanted to completely lock-down the wireless settings so the user couldn't take the laptop and use it at home.

There are many reasons why you would want to use a GPO - but the main point in a GPO is that it's a set of configuration parameters which give the administrator control, not the user.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now