Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wireless and Windows NPS for non-domain clients

Posted on 2014-03-05
5
Medium Priority
?
1,301 Views
Last Modified: 2014-04-04
I have a Windows 2008 R2 server setup as a RADIUS/NPS for wireless clients.  It works fine for Windows 7 and Windows 8 machines that are members of the domain.  When a non-domain client tries to associate with the wireless they are challenged for the username & password but are not able to connect.  The system lg has an Schannel entry with event ID 36887.  The body of the message says "The TLS protocol defined fatal alert code is 48."  EventID.net says code 48 is a "TLS1_Alert_Unknown_CA".  This makes sense.  I'm using a Windows certificate for the NPS server. A non-domain member would have an issue with the CA for a self issued certificate.

My questions are can I use a 3rd party cert for the NPS server and what are the steps for initiating the certificate request and installing this certificate?

Tx

Bill
0
Comment
Question by:labdunn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 2000 total points
ID: 39907159
yes your cert is not trusted by non domains client


get your self cert from trusted ca (preferably wildcard one)


and follow that

http://www.youtube.com/watch?v=159sP_ExWDg

and that

http://technet.microsoft.com/library/cc771696.aspx
0
 
LVL 11

Expert Comment

by:Giladn
ID: 39907211
Hi, If I understand your question right then janpakula is correct, non domain members are unable to trust the certificate, this is why 3rd party certificates are expensive, they can be trusted  :)
are those clients dynamic? is installing the self signed certificate on every device not an option?

I'm using SSL wildcard certificate from Godaddy
http://www.godaddy.com/ssl/ssl-certificates-new2.aspx
works fine, expensive though..
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 39907234
yup - i also use Godaddy :)
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39907962
Well - you could also bypass this by unchecking the "validate server identity" on non-domain clients.
What non-domain clients do you have?
and is your domain a .local domain, or a public routable, like .com or similar?
from 2017 Public CAs won't issue certificates to "local" domain names
0
 
LVL 1

Author Closing Comment

by:labdunn
ID: 39977987
Got a godaddy cert and non-domain clients are now able to connect.

Thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question