locked
NPS Configuration RRS feed

  • Question

  • I have been trying to figure out a resolution to this problem and keep going around in circles.

    I currently have an NPS server working with AD.   This works great.  I used GPO to distribute the CA and once configured the clients connect using their windows login.

    The issue I am having is that we have a number of clients that use our networks.  They are setup on their own vlans.   Since they are not logging in to our DC I need a way to configure the NPS to use username/password or something similar for these users and assign them the correct vlan to connect to.  It seems since I have already configured the NPS to use AD it won't let me use anything else.

    Thursday, August 7, 2014 8:41 PM

Answers

  • Non-AD users are typically authenticated by NPS via "shadow accounts" in AD.

    So you would create user accounts for them - for the sole purpose of having them log via Radius. If you don't use PEAP-MS-CHAPv2 already for your other AD accounts you would need to create a new Network Policy that uses a group containing just those shadow accounts.

    With PEAP-MS-CHAPv2 clients are authenticated by user name and password, and the authentication channel is encrypted by the server's certificate (clients don't need a certificate but they need to trust the NPS server's certificate).

    Elke

    • Marked as answer by Steven_Lee0510 Wednesday, September 10, 2014 7:14 AM
    Saturday, August 9, 2014 9:09 PM
  • It's actually just a normal AD user. "Shadow" refers to the fact that it will never a full logon with a domain-joined machine - similar to a user that would be created, say, for just logging on to a website.

    So you would just create a user like Guest_01 and tell your client user name and password.

    If you use PEAP already anyway you could even use the same Network Policy if your constraint is Domain Users.

    Elke

    • Marked as answer by Gordon Cook Monday, August 11, 2014 1:43 PM
    Monday, August 11, 2014 1:41 PM

All replies

  • Non-AD users are typically authenticated by NPS via "shadow accounts" in AD.

    So you would create user accounts for them - for the sole purpose of having them log via Radius. If you don't use PEAP-MS-CHAPv2 already for your other AD accounts you would need to create a new Network Policy that uses a group containing just those shadow accounts.

    With PEAP-MS-CHAPv2 clients are authenticated by user name and password, and the authentication channel is encrypted by the server's certificate (clients don't need a certificate but they need to trust the NPS server's certificate).

    Elke

    • Marked as answer by Steven_Lee0510 Wednesday, September 10, 2014 7:14 AM
    Saturday, August 9, 2014 9:09 PM
  • Thanks for the help.

    We are currently using PEAP-MSCHAPv2 for our internal users and it works great.  

    I guess what I need to know is what is a "shadow account".   I have been going through a few different articles on google and there seems to a few different definitions or implementations. 

    Gordon.

    Monday, August 11, 2014 1:30 PM
  • It's actually just a normal AD user. "Shadow" refers to the fact that it will never a full logon with a domain-joined machine - similar to a user that would be created, say, for just logging on to a website.

    So you would just create a user like Guest_01 and tell your client user name and password.

    If you use PEAP already anyway you could even use the same Network Policy if your constraint is Domain Users.

    Elke

    • Marked as answer by Gordon Cook Monday, August 11, 2014 1:43 PM
    Monday, August 11, 2014 1:41 PM
  • Great thanks for the update.

    We will consider this.  We are just concerned about security.  I guess as long as we are careful about the permissions it should not be a problem.

    Thanks again.

    Monday, August 11, 2014 1:43 PM