locked
Network Policy Server Problem - "Domain Computers" Fail To Authenticate RRS feed

  • Question

  • I recently implemented a new wireless system with APs that use WPA2 Enterprise Authentication via our local RADIUS server and local Certificate Authority. Currently everything works well from the users end. They log in to their computer, selected the correct SSID, and authenticate automatically.  My problem is I need to limit this authentication, to only devices on the domain. With the current configuration, anyone with network credentials can authenticate with any device. This is a major problem.

    To me the obvious answer was to add the windows group "Domain Computers" to the Network Policy. The moment I do this users fail to authenticate with the below error

    My current connection request policy 

    Current Network Policy

    If I remove the OR statement, and make this only Windows Group - Domain Computers, users will fail to authenticate.

    Does anyone have an idea how I can fix this?

    Thursday, June 2, 2016 4:10 PM

All replies

  • Hi WIU81,

    >> I recently implemented a new wireless system with APs that use WPA2 Enterprise Authentication via our local RADIUS server and local Certificate Authority.       

    When you add a computer group==>Domain Computer,have you issue certificate to the computer for anthentication?If it is the case,there are two ways to do this :

    First method:

    1. Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
    2. Export the cert with the private key.
    3. Import on all workstations that require it.

    Second method:

    1. Create an account in AD.
    2. Issue a certificate from a template that allows the private key to be exported.
    3. Using name mappings attach the certificate to the account.
    4. Create an SPN that matches the SAN on the certificate..i.e. if the SAN is computer.domain.com, you need to create a SPN on the account host/computer.domain.com.
    5. Install certificate on target workstation.

    The first method is relatively easy but it uses a single certificate on multiple devices and the certificate doesn't correspond to the name of the computer.The second method is more secure, but more difficult to implement for multiple computers.

    I hope this would be helpful.

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, June 3, 2016 7:36 AM
  •      

    When you add a computer group==>Domain Computer,have you issue certificate to the computer for anthentication?If it is the case,there are two ways to do this :

    First method:

    1. Using a domain joined machine, request a certificate from a template that allows the private key to be exported.
    2. Export the cert with the private key.
    3. Import on all workstations that require it.

    I am not sure I completly understand what you mean by this. Are you saying the way I have it configured now, the certificate is being issued to the user and not the device? Thus when I try to add the Domain Computer group the device fails to authenticate?

    I would like to give the first method a shot, but I am not sure I completly undestand what needs to be done.

    Thank you for your response.

    Friday, June 3, 2016 2:23 PM
  • I wanted to verify the local computers were getting the certificate. I loaded the Certificates snap-in using an admin account on one of the laptops and verifed that the laptop is receiving the certifiacte.

    Also from a cellphone, when I try to authenticate to the SSID I receive a notification and information on the certificate.

    Friday, June 3, 2016 2:52 PM
  • Hi WIU81,

    If you have already issue the cert to device,and it still failed.Please check this similar  thread,it will give you some hints:

    NPS auth Fail

    https://social.technet.microsoft.com/Forums/en-US/991c3345-babb-45b5-b51d-c40f4008e5e1/nps-auth-fail?forum=winserverNAP

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, June 6, 2016 7:05 AM