locked
NPS Certificate Authentication not Functioning RRS feed

  • Question

  • Hello,

    I recently implemented an NPS deployment within an enterprise environment, with the ultimate goal of using certificates and an NPS server to authenticate an 802.11x wireless network. I added the NPS role to one of the domain controllers, and created a GPO with the wifi and certificate configuration. Unfortunately, client computers with the GPO deployed cannot access the wireless network. I don't see rejections on the NPS server, it's almost like they are dropped. I tested domain username/password authentication by added my user account to the AD group, and that bounced back as approved (I'm using Meraki APs). When a computer tries to connect to the wifi, it's almost like the attempt is dropped. I've run through Technet articles for the last few weeks reviewing my configuration, but I can't find a reason for why this would be happening. Could someone help provide some insight?

    Below is an outline of what I did.

    1.	Added APs as radius clients to the NPS server
    2.	connection request policy
         a.	Processing order 1
         b.	Conditions: NAS Port Type – Wireless – Other OR Wireless – IEEE 802.11
         c.	Authentication Provider Local Computer
    3.	Network Policies
         a.	Processing order 1, grant access
         b.	Condition: windows groups (the group contains Domain Computers and Domain Users)
         c.	EAP Configured
         d.	Ignore User Dial-In Properties: True
         e.	Access Permissions: Grant Access
         f.	EAP Method: Microsoft: Protected EAP
         g.	Authentication Method: EAP or MS-CHAP
         h.	NAP Enforcement: Allow full network access
         i.	Updated noncompliant clients: False
         j.	Framed Protocol: PPP
         k.	Service type: Framed
    

    And added a GPO with an 802.11x wifi configuration, and a trusted root certificate authority GPO for a certificate issued by the domain CA to the NPS Server.


    Thanks!


    Tuesday, October 11, 2016 2:06 PM

Answers

  • Hi Csapt,

    >> I added my user account to the AD group

    Is the user in Domain users group?

    >>Condition: windows groups (the group contains Domain Computers and Domain Users)

    If user was not in domain users group, NPS server will deny request from client that was used user account.

    You could change windows groups to user groups.

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Monday, October 31, 2016 6:03 AM
    • Marked as answer by Leo Han Wednesday, November 2, 2016 5:15 AM
    Thursday, October 13, 2016 7:00 AM

All replies

  • Hi Csapt,

    >>I tested domain username/password authentication by added my user account to the AD group, and that bounced back as approved

    Did you mean that client could connect to wireless when you add account to AD group?

    You could change authentication method to EAP at connection request policy and try again.

    >>I don't see rejections on the NPS server, it's almost like they are dropped

    Please open event viewer, you could check log of NPS server to troubleshoot issue.

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by John Lii Wednesday, October 12, 2016 5:05 AM
    Wednesday, October 12, 2016 5:04 AM
  • John,

    Yes, I added my user account to the AD group, and used that to successfully test authentication from the WAPs.

    I reviewed logs in eventviewer, but don't see any related to an authentication request or rejection when authenticating via certificates.

    Wednesday, October 12, 2016 7:14 PM
  • Hi Csapt,

    >> I added my user account to the AD group

    Is the user in Domain users group?

    >>Condition: windows groups (the group contains Domain Computers and Domain Users)

    If user was not in domain users group, NPS server will deny request from client that was used user account.

    You could change windows groups to user groups.

    Best Regards

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Monday, October 31, 2016 6:03 AM
    • Marked as answer by Leo Han Wednesday, November 2, 2016 5:15 AM
    Thursday, October 13, 2016 7:00 AM
  • Hi Csapt,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    John


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 21, 2016 3:12 AM