802.X Access control with NPS (and AD CA for certificates)

hinewwiner
Here to help

802.X Access control with NPS (and AD CA for certificates)

Hello

 

I currently have set up so that my company's both wired and wireless network gets 802.X authentication.

I have also set up so that both wired and wireless gets verified on the server's identify by validating the certificate and have Active Directory CA auto-enrollment setup to push out the server's certificate.

Everything works great but have a problem with new computers. (or newly OS installed computers)

 

The problem is that when I join a computer to a domain and reboot, it fails to connect to network saying Error 265 : "The certificate chain was issued by an authority that is not trusted."  I am suspecting that the 802.X policy kicks in before the computer gets a chance to receive certificate via GPO.   Only way to get around this is to connect to company's guest wireless network and run 'gpupdate /force' to force update GPO to receive the certificates then everything works fine.

 

Is there a better way to get around this?  My AP/SW is setup so that the computer gets on to Guest VLAN in case of 802.X authentication failure but it seems like Windows just blocks network when 802.X auth fails. (or maybe its Meraki doing this per diagram in here (https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X))  

 

Is there a way to fallback to guest Vlan when 802.X fails?  I am also thinking to disable certificate verification on Wired network as I am not sure there is much value to it assuming physical security of our company is decent.

 

Any help would be appreciated.

 

(My client computer runs on Windows 10 and AD/ADCA/NPS are running under Windows Server 2016.   

5 Replies 5
MFuchs
Here to help

Perhaps it would help you to use

switch -> configure -> access policies -> guest vlan.

This VLAN is used as a guest or remediation VLAN if auth fails.

franz11
Comes here often

how to assign ip to the guest vlan? im just a new in networks

MFuchs
Here to help

Look under routing & dhcp in the switch settings. 

Either set up a dhcp server in the VLAN or let the meraki switch do the job. This is for the clients. For the vlan to set up the up you have to look under The VLANs settings. 

franz11
Comes here often

noted on this. i will share to you my scenario. currently, we have a catalyst switch installed so I connect my new Meraki switch to through trunking. my additional question is do i need to create a guest vlan also on my existing catalyst switch?

thank you very much

MFuchs
Here to help

as long as the catalyst does not transport ALL VLans you should create one.

But i'm not the catalyst expert...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels