cancel
Showing results for 
Search instead for 
Did you mean: 

802.X Access control with NPS (and AD CA for certificates)

Here to help

802.X Access control with NPS (and AD CA for certificates)

Hello

 

I currently have set up so that my company's both wired and wireless network gets 802.X authentication.

I have also set up so that both wired and wireless gets verified on the server's identify by validating the certificate and have Active Directory CA auto-enrollment setup to push out the server's certificate.

Everything works great but have a problem with new computers. (or newly OS installed computers)

 

The problem is that when I join a computer to a domain and reboot, it fails to connect to network saying Error 265 : "The certificate chain was issued by an authority that is not trusted."  I am suspecting that the 802.X policy kicks in before the computer gets a chance to receive certificate via GPO.   Only way to get around this is to connect to company's guest wireless network and run 'gpupdate /force' to force update GPO to receive the certificates then everything works fine.

 

Is there a better way to get around this?  My AP/SW is setup so that the computer gets on to Guest VLAN in case of 802.X authentication failure but it seems like Windows just blocks network when 802.X auth fails. (or maybe its Meraki doing this per diagram in here (https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X))  

 

Is there a way to fallback to guest Vlan when 802.X fails?  I am also thinking to disable certificate verification on Wired network as I am not sure there is much value to it assuming physical security of our company is decent.

 

Any help would be appreciated.

 

(My client computer runs on Windows 10 and AD/ADCA/NPS are running under Windows Server 2016.   

5 REPLIES 5
Conversationalist

Re: 802.X Access control with NPS (and AD CA for certificates)

Perhaps it would help you to use

switch -> configure -> access policies -> guest vlan.

This VLAN is used as a guest or remediation VLAN if auth fails.

Comes here often

Re: 802.X Access control with NPS (and AD CA for certificates)

how to assign ip to the guest vlan? im just a new in networks

Conversationalist

Re: 802.X Access control with NPS (and AD CA for certificates)

Look under routing & dhcp in the switch settings. 

Either set up a dhcp server in the VLAN or let the meraki switch do the job. This is for the clients. For the vlan to set up the up you have to look under The VLANs settings. 

Comes here often

Re: 802.X Access control with NPS (and AD CA for certificates)

noted on this. i will share to you my scenario. currently, we have a catalyst switch installed so I connect my new Meraki switch to through trunking. my additional question is do i need to create a guest vlan also on my existing catalyst switch?

thank you very much

Conversationalist

Re: 802.X Access control with NPS (and AD CA for certificates)

as long as the catalyst does not transport ALL VLans you should create one.

But i'm not the catalyst expert...

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Points Contest
Join us for a month-long contest with heaps of swag to win!

Learn More ›
Labels