I have my SSID "Secured-Company" setup with Enterprise using my RADIUS server. I have NPS setup with the following:
I deployed a GPO to all my domain joined computers with the settings needed to connect to "Secured-Company". When is at the logon, the computer is able to connect to the SSID and I can still remote manage it. When the user logs in, they remain connected as long as it is a Domain account. A local account causes the access to the SSID to be denied.
The issue is with the Network Policy condition "Windows Groups = Domain Computers OR Domain Users". Someone can still bring in their home laptop and use their credentials to connect to my secured "Secured-Company" SSID. Is there a way to configure this so ONLY Domain Users with Domain Joined computers can connect?
I tried to set the Network Policy to just "Windows Groups = Domain Computers", which allowed the computer to connect at boot up, but when the user logs in, they lose connection.
Solved! Go to solution.
How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.
How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.
Excellent. That worked.
Hi would you mind sharing your configuration? I'd like to setup the same thing to allow employees to authenticate and connect to the wireless with their AD account but only from domain joined devices.
This is a completely different thing and not possible with NPS. To reliably enforce that users can authenticate only from domain machines you need TEAP and NPS is not capable of that.
Thank you for the clarification. That has been my finding as well with NPS and I thought OP found the solution.