I am using my DC as a NPS Microsoft RADIUS server for wireless authentication. I was having problems with computers that are not able to join a domain (Windows 7 Home Edition) to join using a valid AD account and password, I can't authenticate this devices unless these devices belong to the windows domain. Any help would be greatly appreciated.
Solved! Go to Solution.
Authenticate using PEAP and MSCHAPv2.
You'll need to install your CA certificate on the non-domain computers in their trusted root authorities certificate store before they'll trust your NPS server.
Thanks for the quickly answer Philip.
I'm authenticating using PEAP and MSCHAPv2 and works in windows computers thar are in our windows domain, they have our certificate generate with our windows CA in our DC.
But my problem is with windows providers's computers, consultants..., that I can't install anything in their computers, or they don't have permission to install anything. I can't install our certificate.
Is it possible that work with something like appear a warning error by certificate accept and go into the wifi?, as it is working with IOS and android devices. Maybe I have to use a public certificate, but my windows domain is xxxx.org, it isn't public, I think I can't have a public certificate for my DC like server01.xxx.org. Sorry if I tell something wrong, but the certificate world it is a new subject for me 🙂
Thank you Philip for the answer.
I think so, then I have a problem, I don't want to implement WPA2, but it seems the solution.
@PhilipDAth is right. This is why I like to purchase certs for NPS servers. That way they are already trusted.
Hello, I have a similar issue.
Scenario: i am working on a Active Directory domain migration project. both the domains have two way trust between them. In the new domain i do not have wireless infrastructure setup, so i am trying to connect to wireless network which is in old domain. In the old domain wireless setup is based on Radius (NPS windows). i am unable to connect to network.
Problem: I think the problem is because of the certs but not sure how to resolve it. on the event log on the laptop which is in domain says "the certificate received from the remote server was issued by an untrusted certificate authority. because of this none of the data contained in the certificate can be validated. the TLS connection request has failed the attached data contains the server certificate"
how can we import that cert on the laptop in new domain? (the cert on radius server has cert chain trusted with different agency)
To make this work you would need to go into NPS and configure it to allow machines from the remote domain. I'm not confident NPS has this capability but you can try.
Then you need to create a group policy in the new domain to add the root certificate used for signing the NPS server certificate into the trusted certificate authority store.
>@PhilipDAth is right. This is why I like to purchase certs for NPS servers. That way they are already trusted.
In this case that has some merit.
Yes, purchasing certs would work, or you can add the Certificate Authority certificate to the trusted root certificate store in both domains by deploying them with group policy. Then the certificates would be trusted by all computers in both domains.
As long as you're referring to devices that are able to handle cert based authentication. But in each and every network, there's more than that.
Unfortunately, many Windows admins don't see that and that's one of the main reasons NPS sucks bug time...