WPA2 Certificate only Auth on Macs and PCs
I am new to WPA2 authentication. We are using Meraki APs on our network. We have Radius working as far as being able to authenticate with Domain User Ids and get on the SSID. However this is not our goal. We are in a school environment and do not want things brought from home used on internal networks so we need to identify our hardware (Macs and PC Laptops) and allow it onto the network no matter who is on it. We are using Microsoft NPS as the Radius server. Or Network Policy Grants NAS Port IEEE 802.11, I have added a Windows Group for Domain Admins as a test of User Authentication and Machine Group of Domain Computers. The Admins can log on but machines are not. In particular the Macs ask for User ID and Password and our student IDs do not pass the test. How do I get Computer only logins?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you setup a PKI? This will be needed to distribute certificates to your domain devices.
ASKER
PKI is set up. It is sounding like I need to have a seperate policy for the certificate authentication and place it higher. My Meraki guy uses ChapV2 for Meraki APs to authenticate. I will go down that road for a bit and post my results.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Craig
OK the PCs are working. I am have issues getting Macs to use WPA2 with Computer Authentication.
It seems that being bound to the domain does not let them pass computer credentials, it always want User credential and we do not want Users to bring in their own Macs on our network. I attached the logs and can get more info if anyone is a Mac Pro.
OK the PCs are working. I am have issues getting Macs to use WPA2 with Computer Authentication.
It seems that being bound to the domain does not let them pass computer credentials, it always want User credential and we do not want Users to bring in their own Macs on our network. I attached the logs and can get more info if anyone is a Mac Pro.
ASKER
The error I am fighting with the Macs is 6273 Reason 66.
The PCs put the following in the Information Event Log:
1 Message about NPS Opening LDAP
1 Message of NPS granting access
1 Message about NPS granting Full Access
The Macs give 2 Audit failures of Denied access 6273 Reason 66 that the method is not enabled.
I feel this is simply a matter of opening the proper policy method but I have no idea what the Mac is using and have not found where it is logged.
The PCs put the following in the Information Event Log:
1 Message about NPS Opening LDAP
1 Message of NPS granting access
1 Message about NPS granting Full Access
The Macs give 2 Audit failures of Denied access 6273 Reason 66 that the method is not enabled.
I feel this is simply a matter of opening the proper policy method but I have no idea what the Mac is using and have not found where it is logged.
Can you post the log that says the method is not enabled please? This will tell me which authentication method was being used by the client.
ASKER
Craig, I have since discovered the Macs are having issue with the way the Network Profile is pushed. They are able to connect via WPA2 using the configuration from the screen. I am going to look for some Profile MAnager assistance to recreate automatically what I am doing Manually