Hi All,
Having some more woes with NPS and wondering if any of you have had this situation. We have a heap of old devices that are authenticating using PEAP-MSCHAPv2 and we are in the process of migrating them across to EAP-TLS. We need to keep both methods online for some time as some of the clients will not support EAP-TLS.
The problem I'm finding is differentiating these methos in our NPS polices. We have an existing NPS policy for PEAP-MSCHAPV2 and I have created a new policy above it for EAP-TLS. This hums away nicely if on the EAP-TLS policy I have a condition for specific domain computer's using windows groups. (something we don't want to do)
If I remove the group restriction all clients use the EAP-TLS policy. I have tried putting the old PEAP policy above the eap-tls policy with conditions on authentication method and it simply overlooks these and moves to the next policy.
Any ideas what I could be missing?
Solved! Go to solution.
> I have created a new policy above it for EAP-TLS.
Don't do this. Use PEAP-MSCHAPv2 and EAP-TLS in the same policy. Complete your migration. Then remove PEAP-MSCHAPv2.
Can you send through some screenshots of the conditions in your policies?
I'll admit, from my experience with NPS I've had some similar issues getting policies to different on auth type.
unfortunately, i have reverted the polices. I have been doing some reading and some people have mentioned the filtering only works well on the connection policy.
With WLC it is much easier as you can configure the NAS-ID in the SSIDs, which is not possible with Meraki. I can't think of any other attribute that you can use in the policy condition.
Maybe you can use the Called-Station-ID
https://wifinigel.blogspot.com/2014/03/the-microsoft-network-policy-server-nps.html?m=1
> I have created a new policy above it for EAP-TLS.
Don't do this. Use PEAP-MSCHAPv2 and EAP-TLS in the same policy. Complete your migration. Then remove PEAP-MSCHAPv2.
Amazing, I didn't think of that approach. Will give it a go outside our prod hours and report back.
Thanks Philip!
worked like a charm!! thanks so much.