How does a non-domain computer uses authentication in NPS Microsoft server?

SOLVED
CBM
Here to help

How does a non-domain computer uses authentication in NPS Microsoft server?

I am using my DC as a NPS Microsoft RADIUS server for wireless authentication.  I was having problems with computers that are not able to join a domain (Windows 7 Home Edition) to join using a valid AD account and password, I can't authenticate this devices unless these devices belong to the windows domain. Any help would be greatly appreciated.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Windows will only PEAP authenticate with a trusted RADIUS server.  If you can't install a certificate or change anything on their machine then their is no way they will be able to attach.

View solution in original post

10 REPLIES 10
PhilipDAth
Kind of a big deal
Kind of a big deal

Authenticate using PEAP and MSCHAPv2.

 

You'll need to install your CA certificate on the non-domain computers in their trusted root authorities certificate store before they'll trust your NPS server.

Thanks for the quickly answer Philip.

I'm authenticating using PEAP and MSCHAPv2 and works in windows computers thar are in our windows domain, they have our certificate generate with our windows CA in our DC.

But my problem is with windows providers's computers, consultants..., that I can't install anything in their computers, or they don't have permission to install anything. I can't install our certificate.

Is it possible that work with something like appear a warning error by certificate accept and go into the wifi?, as it is working with IOS and android devices. Maybe I have to use a public certificate, but my windows domain is xxxx.org, it isn't public, I think I can't have a public certificate for my DC like server01.xxx.org. Sorry if I tell something wrong, but the certificate world it is a new subject for me 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

Windows will only PEAP authenticate with a trusted RADIUS server.  If you can't install a certificate or change anything on their machine then their is no way they will be able to attach.

Thank you Philip for the answer.

 

I think so, then I have a problem, I don't want to implement WPA2, but it seems the solution.

Hello, I have a similar issue.

 

Scenario: i am working on a Active Directory domain migration project. both the domains have two way trust between them. In the new domain i do not have wireless infrastructure setup, so i am trying to connect to wireless network which is in old domain. In the old domain wireless setup is based on Radius (NPS windows). i am unable to connect to network.

Problem: I think the problem is because of the certs but not sure how to resolve it. on the event log on the laptop which is in domain says "the certificate received from the remote server was issued by an untrusted certificate authority. because of this none of the data contained in the certificate can be validated. the TLS connection request has failed the attached data contains the server certificate"

 

how can we import that cert on the laptop in new domain? (the cert on radius server has cert chain trusted with different agency)

 

PhilipDAth
Kind of a big deal
Kind of a big deal

To make this work you would need to go into NPS and configure it to allow machines from the remote domain.  I'm not confident NPS has this capability but you can try.

 

Then you need to create a group policy in the new domain to add the root certificate used for signing the NPS server certificate into the trusted certificate authority store.

@PhilipDAth is right. This is why I like to purchase certs for NPS servers. That way they are already trusted.

PhilipDAth
Kind of a big deal
Kind of a big deal

>@PhilipDAth is right. This is why I like to purchase certs for NPS servers. That way they are already trusted.

 

In this case that has some merit.

JohnT
Getting noticed

Yes, purchasing certs would work, or you can add the Certificate Authority certificate to the trusted root certificate store in both domains by deploying them with group policy.  Then the certificates would be trusted by all computers in both domains.

CptnCrnch
Kind of a big deal
Kind of a big deal

As long as you're referring to devices that are able to handle cert based authentication. But in each and every network, there's more than that.

 

Unfortunately, many Windows admins don't see that and that's one of the main reasons NPS sucks bug time...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels