Certificate selection when using 802.1x authentication
Hello I have a question on how a certificate is selected from a computers personal certificates when using 802.1x for wireless authentication using Windows NPS server as RADIUS. I have been having issues with users not being able to authenticate to the office WiFi, and after looking at the logs on the NPS server it shows that the computer is giving the NPS server a certificate other than the one belonging to the computer account. There is a list of certificates in the personal certificate store, and the one certificate for the computer account (given by the on prem PKI) is at the bottom of the list. So it looks like it is just choosing the first certificate in the list, and then failing authentication and not giving the correct cert. Shouldn't it go down the list of certs and eventually giving the correct cert instead of the first one in the list and causing authentication to fail? Hope this make sense any insight is appreciated! Thanks.
Use AD to restrict access for VPN users
I'm a network technician, working mostly with campus networks (Cisco mostly) and security appliances like firewalls. I'm not very good at Windows Server configuration, so I need a bit of help solving an issue with AD and NPS that google does not solve for me. :) I'm setting up Remote Access VPN (it's not Direct Access or any other Microsoft VPN solution). When user A connects via VPN, he should not be able to access everything though the VPN tunnel, it should be locked down to a few IP addresses and port numbers, like: 192.168.40.0/24, port 80 172.16.55.43, port 22 User A might be member of a group, and others in that group should have the same restriction. The general idea is that an organisation should be able to configure this access restriction in AD and not have to log on to the firewall to do this. My question is how you configure this. The only way I have found is to create a separate Network Profile for every Group, and in that profile set group membership as a condition and a Cisco-AV-Pair specifying the ACL in the settings (pictures below). That's not a very scalable solution for large organizations. Is there a better way? I've set up a lab environment for this, based on a DC and a NPS server. I'm not sure if NPS is needed but it seemed reasonable (maybe there is an LDAP solution?). I've configured RADIUS authentication via the NPS server and it works, it's just the ACL bit on AD that's missing.
Looking for assistance with NPS cert based Wifi for Macs and PCs
So we have a somewhat unique situation that I am trying to figure out any solution that works.. We are currently using Meraki hardware for our wireless system and we have a directive from management to work to integrate out various systems so that we can deploy a company-wide wireless network(s) that used cert based authentication instead of the current username/password that times out every couple weeks. For further context, we have windows based servers with a local AD domain synced to Office 365. We are also using one of our DCs as a CA, but it is not being used for anything. We have several NPS servers setup and we can get our windows, domain joined machines to work fairly well on the Meraki System. The problem comes in with our Mac users. Our AD domain was setup moons ago when using a .int TLD for the domain name along with other best practice issues that would be too disruptive to properly fix. As of now, we can't get our Mac machines to properly authenticate or trust the Wi-Fi networks when we use the NPS profiles/certs. We did recently get invested in a PKI system through digicert that we are currently using for our Client VPN and have been trying to use auto-enrolled certs from that, but similarly to no avail. The final nail in the coffin is that we are under a budget crunch, so investing in something like JumpCloud or some other online hosted RADIUS service is not happening anytime soon. I have looked at the documentation for Setting up 802.1x and we can do user authentication fairly well, but we have been instructed to get machine/certificate based authentication working. Long story short, what I am hoping to find is an article or video or something that discusses setting up windows NPS to interact with Meraki SSIDs so that both domain joined PCs and non-domain joined Macs can use one or more SSIDs to do cert based authentication.
User or computer certificate selection for 802.1x
I've set up an NPS, on windows 2019, to be used as Radius server for 802.1x certificate-based autentication. On NPS I made a connection profile with both Domain Users And Domain Computer so that belonging to one of them should enable to connect to wi-fi, provided that the computer OR the user has a valid Cert. I found, however, that it seems that the connection only works if "at least" there's the computer certificate. If a computer has not the certificate but the user does it does not connect. What is wrong ? thanksNetwork Policy Server 2016 RADIUS logs
Hello, I'm seeing something strange in Wireshark when user successfully authenticates through CISCO VPN. The connection policy specifies RAS VPN-Dial up as NAS, in the conditions - NAS Port Type - Virtual (VPN), the rest is at the default. Network Policy below: What could be causing the error?
NPS on reboot choses wrong certificate
Seems that recently (after May 2024 update?) certificate selected for Microsoft: Smart Care or other certificate does not "stick" I need it to use RAS template certificate, but on reboot it will select longest certificate ie Remote Desktop And ofcourse all my wireless clients (machine certificate based RADIUS authentication) are DENIED access and hell breaks lose. Same issue with primary-to-secondary NPS sync (where whole config gets exported from source, deleted on destination & re-imported on destination, as scheduled task) Anybody has any idea how to force specific certificate to STAY as selected by admin (me) Thanks SebNPS ODBC Logging on Server 2022 isn't working
I've setup new NPS servers. When I setup accounting with an SQL DB connection the tables are not generated correctly. I have an old install and the tables have much more info. I have tried to change to ODBC and IAS log formats, but I can't seem to get it to work. The tables are not generated unless I run the wizard. The wizard always sets things back to DTS compliant. I have searched for days now on a fix. What is the problem with NPS? Does anyone know how to fix this? HELPConnect a Workgroup device on 802.1x Network with NPS
We have an 802.1X-secured Wi-Fi network using EAP-TLS authentication with machine certificates. Domain-joined devices connect and authenticate successfully. However, we have a scenario where some non-domain (Workgroup) Windows 11 devices must connect to this network — and they fail to authenticate. What we've tested so far: User Certificate Approach: Created a duplicate of the User certificate template. Set Compatibility to Windows Server 2008 (to enable key storage provider support). Set Application Policies to include only Client Authentication. Set Subject Name to Supply in the request. During enrollment, we ensured the UPN in the certificate matches the AD user's UPN (e.g., mailto:user@domain). We verified the certificate appears under Published Certificates in the AD user's account. Machine Certificate Approach: Created a certificate with: CN=host/hostname.domain.local in the Subject DNS=hostname.domain.local in the SAN Client Authentication EKU Ensured the certificate is installed in the Local Machine store with private key. In AD: Created a Computer object matching the machine name. Added the ServicePrincipalName (SPN): host/hostname.domain.local Added altSecurityIdentities: "X509:<i>CN=CA Name,DC=domain,DC=local<s>CN=host/hostname.domain.local</s></i>" What we observe in NPS Event Viewer: Each connection attempt from a Workgroup machine — even with valid certificate, and proper mapping — results in: Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect. We also ensured that: NPS has a valid certificate with Server Authentication EKU The authentication method used is Microsoft: Smart card or other certificate (EAP-TLS) The policies are configured for certificate-based authentication only The question How can we make NPS map a client certificate (from a non-domain device) to a user or computer account in Active Directory, so that authentication succeeds? Are there additional requirements for altSecurityIdentities, or limitations for Workgroup clients that we're missing?
