How do I setup redundant Radius Servers without the end user having to accept another certificate?
Posted on 2014-09-19
I have setup a Server 2012 R2 NPS server as my radius server for our authentication on our wireless network. I am also using a internal MS Certificate Authority to deploy certificates to all of our domain computers.
Our domain computers connect great using their certificate and end users don't see any certificate prompts to accept the certificate. I could easily setup a redundant radius server for this because they don't need to accept the certificate.
The issue is that we also have several thousand non-domain devices that I have no control over so these users must accept the certificate before connecting. These users get the prompt depending on their device.
I could find no way to get a non-domain Windows 7 or 8 computer to connect to our 802.1x network with first setting up the network in manage wireless networks and disabling the certificate checking. They will not even give me the option to approve the certificate unless I do this. Is this right?? It seems strange it won't even allow the end user the option to approve the certificate. Every other OS seems to give this option just fine. I got around this issue by getting a certificate from an external CA and now these non-domain computers get the prompt to accept the certificate without presetting up the network. The issue I have now is that now my domain users also have to get this same prompt on their domain computers (when authenticating as the user not computer) because they don't automatically trust this external CA like the internal one. I really don't want to add the external CA to the "ntauth" so it they trusts all certs from this CA. What do others do in this situation?
Well that should be a good background of the setup. Now I am looking for a way to setup a redundant radius server. How can I setup a redundant radius server so when it is used, the end user (non-domain no control over their computer and don't want to make them setup their wireless network before connecting) doesn't have to accept another certificate for another server? It would also be great if I didn't have to buy an additional certificate from a external CA.
Thank you for your time.