Wireless and Windows NPS for non-domain clients

I have a Windows 2008 R2 server setup as a RADIUS/NPS for wireless clients.  It works fine for Windows 7 and Windows 8 machines that are members of the domain.  When a non-domain client tries to associate with the wireless they are challenged for the username & password but are not able to connect.  The system lg has an Schannel entry with event ID 36887.  The body of the message says "The TLS protocol defined fatal alert code is 48."  EventID.net says code 48 is a "TLS1_Alert_Unknown_CA".  This makes sense.  I'm using a Windows certificate for the NPS server. A non-domain member would have an issue with the CA for a self issued certificate.

My questions are can I use a 3rd party cert for the NPS server and what are the steps for initiating the certificate request and installing this certificate?

Tx

Bill
LVL 1
labdunnAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JAN PAKULAICT Infranstructure ManagerCommented:
yes your cert is not trusted by non domains client


get your self cert from trusted ca (preferably wildcard one)


and follow that

http://www.youtube.com/watch?v=159sP_ExWDg

and that

http://technet.microsoft.com/library/cc771696.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GiladnCommented:
Hi, If I understand your question right then janpakula is correct, non domain members are unable to trust the certificate, this is why 3rd party certificates are expensive, they can be trusted  :)
are those clients dynamic? is installing the self signed certificate on every device not an option?

I'm using SSL wildcard certificate from Godaddy
http://www.godaddy.com/ssl/ssl-certificates-new2.aspx
works fine, expensive though..
0
JAN PAKULAICT Infranstructure ManagerCommented:
yup - i also use Godaddy :)
0
Jakob DigranesSenior ConsultantCommented:
Well - you could also bypass this by unchecking the "validate server identity" on non-domain clients.
What non-domain clients do you have?
and is your domain a .local domain, or a public routable, like .com or similar?
from 2017 Public CAs won't issue certificates to "local" domain names
0
labdunnAuthor Commented:
Got a godaddy cert and non-domain clients are now able to connect.

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.