- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NPS woes with EAP-TLS & PEAP-MS-CHAPv2
Hi All,
Having some more woes with NPS and wondering if any of you have had this situation. We have a heap of old devices that are authenticating using PEAP-MSCHAPv2 and we are in the process of migrating them across to EAP-TLS. We need to keep both methods online for some time as some of the clients will not support EAP-TLS.
The problem I'm finding is differentiating these methos in our NPS polices. We have an existing NPS policy for PEAP-MSCHAPV2 and I have created a new policy above it for EAP-TLS. This hums away nicely if on the EAP-TLS policy I have a condition for specific domain computer's using windows groups. (something we don't want to do)
If I remove the group restriction all clients use the EAP-TLS policy. I have tried putting the old PEAP policy above the eap-tls policy with conditions on authentication method and it simply overlooks these and moves to the next policy.
Any ideas what I could be missing?
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I have created a new policy above it for EAP-TLS.
Don't do this. Use PEAP-MSCHAPv2 and EAP-TLS in the same policy. Complete your migration. Then remove PEAP-MSCHAPv2.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you send through some screenshots of the conditions in your policies?
I'll admit, from my experience with NPS I've had some similar issues getting policies to different on auth type.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unfortunately, i have reverted the polices. I have been doing some reading and some people have mentioned the filtering only works well on the connection policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With WLC it is much easier as you can configure the NAS-ID in the SSIDs, which is not possible with Meraki. I can't think of any other attribute that you can use in the policy condition.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you can use the Called-Station-ID
https://wifinigel.blogspot.com/2014/03/the-microsoft-network-policy-server-nps.html?m=1
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
> I have created a new policy above it for EAP-TLS.
Don't do this. Use PEAP-MSCHAPv2 and EAP-TLS in the same policy. Complete your migration. Then remove PEAP-MSCHAPv2.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amazing, I didn't think of that approach. Will give it a go outside our prod hours and report back.
Thanks Philip!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
worked like a charm!! thanks so much.
