Hi All,
I would like to seek for advice that if NPS server 2016 could restrict authentication ONLY for client with computer certificate issue from specific CA as well as verifiying the wired computer's hostname match the client computer certificate's FDN? So the
target is that the NPS would grant access to domain computers with certificate issue from internal CA (Deny other certificate from other CAs' even if they are in Trusted Root CA) as well as denying domain computers using certificate issue from internal CA
but with FDN that is NOT match the computer's name.
The following is my test setup and results:
Server: Windows server 2016 STD with NPS role
Switch: Cisco 3750G [Configured with dot1x, ports enabled dot1x for VLAN control]
Client: Windows 7 and Windows 10 laptop
Authentication mode: Computer authentication,
Authentication method: PEAP, smartcard or other certificate
Both NPS server and client laptops have same Trusted Root CAs include internal CAs as well as some third party CAs, and have
enrolled required server certificates and computer certificates.
Added NPS network policy to grant access for conditions: Windows group= <my domain>\Domain Computers, NAS port type= Ethernet
Test results: The NPS work for granting access to our domain laptops with computer certificates, but we also find that access also granted to domain computer A that have imported another domain computer B's computer certificate. From NPS log show that the
Computer A can use Computer B's computer account for the request. And I found there is no condition nor constraint in NPS policy for controlling the client certificate's CA.
