radius settings MS NPS Server

zfrangi
Conversationalist

radius settings MS NPS Server

Im looking to compare settings here for others that are using a MS NPS server to authenticate users for secure wifi. We have had a meraki wireless system in place now for five years. From time to time we get staff that complain that they can no longer authenticate to the secure wifi on their windows laptops. I have a suspicion that it happens whenever their A/D credentials expire or when they are first logging onto the machine for the first time and need to change the temp password. What we typically do is hardwire their laptop and have them sign in and then it clears up. I have a feeling that the configuration on our nps server may not be setup right. Something tells me that we need to have the machine authentication turned on as well?  
 

Does the machine authentication need to be done in the connection request policy and or network policies on the nps server?  For example do I need to modify the conditions and add a machine group?  Does it also need to be specified on the GPO object thats being pushed out to the machine as well?  In looking over the guide from meraki

 

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_...

 

It appears that they are using user authentication for the policy on the nps server but  machine authentication on the gpo.  

 
6 REPLIES 6
NolanHerring
Kind of a big deal

I do machine authentication specifically for the issue of either a shared laptop having a new user login for the first time, or at least getting the machine on the network for it to allow users to update creds etc.

Assuming your using GPO to configure your laptops, you can configure it so it only allows machine auth, or both machine/user. On the NPS server you'll have to decide there as well which method you want to use. I don't have access to ours but I believe we have both enabled (just in case). However, when a laptop turns on or reboots, it will auto-join our corp SSID as soon as it is finished booting.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal

If you have users who are mostly using WiFi you need to permit both their computer (I typically allow Domain Computers) and their user account.

 

Otherwise you get this situation when the machine boots up; it is not connected to the WiFi.  The user tries to login, but it can only use cached credentials.  If the credentials don't match a newer change then they can actually log into the machine but not attach to the WiFi because the WiFi only knows the new credentials (it is talking to AD).

 

If you allow machine authentication as well the machine starts up.  It can now also do group policy processing.  The user goes to log in, but because the machine can now talk to a domain controller it doesn't have to use cached credentials.  It actually authenticates directly against the AD controller.  If that passes the users logins in, and then re-authenticates to the WiFi using the known good credentials.

So basically I need to modify the connection request policy and the network policies and put in domain users and domain computers?npsserver1.PNGnpsserver2.PNG

 

 

zfrangi
Conversationalist

So nevermind apparently I mispoke. You can only setup user and machine auth on the network policy only on the nps server.  The connection request policy doesnt have those options.  Im attaching screenshots of what my changes look like.  What sort of errors should I be looking for in the event log if something isnt working right?  Crossing my fingers!!

 

Thanks

 

 

 

look  npsserver4.PNGnpsserver3.PNG

PhilipDAth
Kind of a big deal

"Connection Request Policies" just say what requests to process localling on "this" server rather than sending them to another server.

You should not need to change the Connect Request Policies.  The default policy, which says to process everything localy, is fine.

Hi zfrangi,

 

Can you please tell me how to get to the screenshot you have listed. I may need to start a new conversation, but were having an issue, in short - we have Meraki setup to use Radius server, however, when a laptop connects,  the user is not prompted to enter username and password which we want to happen, but when they connect with their mobile it does have a prompt and the screenshot you have posted I can find anywhere to enable user authentication which may be our issue. Any help appreciated, if I do need to start a new conversation please let me know.

 

Thank You.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.