Meraki & NPS server - cert is enough? Wireless GPO not needed?

This is more of a conceptual question.

We have setup Meraki with Windows 2008-R2 NPS server, Windows certificate server and a GPO. The setup is working.

There are two parts of GPO, one is to enroll the certificate, and other is to define "Wireless Network (IEEE 801.X) Policies".
It so happens that default domain policy also allows automatic enrollment of certificates, so all machines get the certificate whether or not this "Meraki" GPO applies to them.

We find that any machine is able to connect to wireless network as long as it is in Windows group specified in NPS's Network Policy. In other words, "Wireless Network (IEEE 801.X) Policies" of GPO seem not to be needed. Having a certificate seems enough.

How is that possible? NPS Policy configuration is very similar to "Wireless Network (IEEE 801.X) Policies" GPO configuration but should not both of them be necessary for a user or computer to logon to wireless network? Thanks.
LVL 3
AkulshAsked:
Who is Participating?
 
Craig BeckConnect With a Mentor Commented:
Yes, there are times where it is needed - such as when you want to actually dictate what wireless networks are available to the client.

If, for example, you want to allow the client to connect to only specific SSIDs on the corporate network, you would use a GPO.

You could also use a GPO if you wanted to completely lock-down the wireless settings so the user couldn't take the laptop and use it at home.

There are many reasons why you would want to use a GPO - but the main point in a GPO is that it's a set of configuration parameters which give the administrator control, not the user.
0
 
Craig BeckCommented:
Are you applying the Wireless settings policy to the Default Domain Policy?  If so, all machines will receive the policy anyway.

You should create a security group for the machines you want to allow to connect via the policy, create a new GPO for the wireless policy, then specify the security group in the security tab of the GPO.
0
 
Jakob DigranesConnect With a Mentor Senior ConsultantCommented:
@CraigBeck --- True That :-)

Also - you can edit Certificate template to auto enroll only to the same security group. Should really not use Domain Computers/Domain Users to that
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
AkulshAuthor Commented:
CraigBeck,

No, the Wireless GPO is only applied to the OU where wireless laptops are. (My question stated that Wireless GPO does not seem to be required, implying that it is not part of any domain-wide policy.)

I already have a security group for the machines which need to connect via wireless. I don't see any point in creating a new GPO for the wireless policy since current GPO is only applied to an OU and only available to members of the security group.
-

Jakob_di,
You are correct. I can edit Certificate template to auto enroll only by the security group of permitted wireless laptops. However, it is a bit late unless I revoke all issued certs.
-

More to the point, why is the Wireless policy thru GPO not needed? The Network policy settings for wireless access in NPS server seem to be enough. I hope someone can enlighten me on this. Thanks.
0
 
Craig BeckCommented:
@Akulsh, the OP didn't state that the GPO is only applied to the OU where the laptops are... it's not obvious that if it's not part of the Default Domain Policy that it must be attached to the correct OU.

The fact that laptops don't need a GPO isn't really an issue, as long as the laptops correctly detected the requirements for the WLAN.  Usually a GPO is needed to specify settings which aren't default, and to make the laptop connect automatically without the user selecting the network manually.

If you remove the link to the GPO from the OU where the laptops are, then reboot the laptop, are you still able to connect?
0
 
AkulshAuthor Commented:
Yes, when we remove the link to the GPO from the OU where the laptops are, then reboot the laptop, we are able to connect.
0
 
Craig BeckCommented:
Ok.  What settings does your NPS policy require?
0
 
AkulshAuthor Commented:
I followed this link step by step:

RADIUS: Creating a policy in NPS to support PEAP-MSCHAPv2 machine authentication
http://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-peap-mschapv2---machine-authentication
0
 
Craig BeckCommented:
So that's just telling me what I've already said.  The laptop was able to detect the type of network and its requirements, and used its computer certificate to authenticate.

The NPS policy conditions specify 'who or what' the policy applies to.  So, if the laptop is a domain member it will match the policy - that's what you'd expect.  The GPO is just a way of getting the correct settings to the client - they're not part of the security as such.
0
 
AkulshAuthor Commented:
Coming back to my original question:  Is the "Wireless Network (IEEE 801.X) Policies" GPO not needed?

You seem to say, yes, it is not needed. Then why bother with it?
Are there situations where it is needed to have the laptop correct settings? Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.