WPA2 Certificate only Auth on Macs and PCs

I am new to WPA2 authentication.  We are using Meraki APs on our network.  We have Radius working as far as being able to authenticate with Domain User Ids and get on the SSID.  However this is not our goal.  We are in a school environment and do not want things brought from home used on internal networks so we need to identify our hardware (Macs and PC Laptops) and allow it onto the network no matter who is on it.  We are using Microsoft NPS as the Radius server.  Or Network Policy Grants NAS Port IEEE 802.11, I have added a Windows Group for Domain Admins as a test of User Authentication and Machine Group of Domain Computers.  The Admins can log on but machines are not.  In particular the Macs ask for User ID and Password and our student IDs do not pass the test.  How do I get Computer only logins?
GCISDEngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
You need to use computer certificates to allow devices rather than users to authenticate.  As well as that you need to only allow "smart card or other certificate" instead of EAP-MSCHAPV2 in the constraints in the NPS policy.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel PatchIT ManagerCommented:
Have you setup a PKI?  This will be needed to distribute certificates to your domain devices.
0
GCISDEngineerAuthor Commented:
PKI is set up.  It is sounding like I need to have a seperate policy for the certificate authentication and place it higher.  My Meraki guy uses ChapV2 for Meraki APs to authenticate.  I will go down that road for a bit and post my results.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Craig BeckCommented:
It doesn't matter where you place the policy as long as you make the conditions strict.  Similarly, you could simply add "Smart Card or other Certificate" to the constraints in the existing policy to let you authenticate computers, then just remove MSCHAPV2 once you're happy that everyone is doing what you want.
0
GCISDEngineerAuthor Commented:
Thanks Craig

OK the PCs are working.  I am have issues getting Macs to use WPA2 with Computer Authentication.  

It seems that being bound to the domain does not let them pass computer credentials, it always want User credential and we do not want Users to bring in their own Macs on our network.  I attached the logs and can get more info if anyone is a Mac Pro.
0
GCISDEngineerAuthor Commented:
The error I am fighting with the Macs is 6273 Reason 66.

The PCs put the following in the Information Event Log:

1 Message about NPS Opening LDAP
1 Message of NPS granting access
1 Message about NPS granting Full Access

The Macs give 2 Audit failures of Denied access 6273 Reason 66 that the method is not enabled.

I feel this is simply a matter of opening the proper policy method but I have no idea what the Mac is using and have not found where it is logged.
0
Craig BeckCommented:
Can you post the log that says the method is not enabled please?  This will tell me which authentication method was being used by the client.
0
GCISDEngineerAuthor Commented:
Craig,  I have since discovered the Macs are having issue with the way the Network Profile is pushed.  They are able to connect via WPA2 using the configuration from the screen.  I am going to look for some Profile MAnager assistance to recreate automatically what I am doing Manually
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.