locked
Wireless network connectivity RRS feed

  • Question

  • Hi,

    I have setup NPS server on Windows server 2008 R2. It has been integrated with enterprise wireless network Aruba. I have setup 802.1x authentication for wireless client. A user when tries to connect to wireless network must be authenticated using his username/password against AD. This is all happening fine. However under all windows platforms that is Windows 7, 8.1, XP when a user tries to connect he is unable to authenticate unless he make following changes to the wireless network under networking and sharing center.

    (1) A user must create the wireless profile manually and then edit the profile.

    (2) A user must remove check for checking the certifcate

    (3) A user must also go in advance setting of PEAP and then must remove the check to use machine default username and password.

    (4) Then under advance setting user must enable user authentication and then provide AD username and password.

    (5) He can then save the profile and network will try to connect and then gets connected.

    My question is that why there is a need to make above settings. As we are in process of imlementing BYOD and this is not feasible that every user must do it manually. The case should be like that a user can search for available wireless networks and then connect to the available 802.1x network by providing his credentials. But this is not happening.

    I have also acquired third party certificate to set under the network policy on NPS server but still issue persist.

    Any help will be appreciated.

    Monday, June 30, 2014 8:54 PM

Answers

  • Hi,

    It is by design. Because the windows default setting doesn’t match your environment.

    You have two options,

    1. Add all of the devices in your domain. Use AD credentials to login.
    2. Edit the wireless profile manually.

    You have two choices to deploy certificate on your NPS server,

    1. Deploy your own certification authority
    2. Import a third-party certificate

    To deploy a CA and NPS server certificate, you may refer the link below,

    Deploying Certificates for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc754367(v=ws.10).aspx

    For detailed information, please view the article below,

    Checklist: Implementing 802.1X Authenticate Wireless Access

    http://technet.microsoft.com/en-us/library/dd283023(v=WS.10).aspx

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Tuesday, July 1, 2014 9:58 AM
  • My take on this is that Windows NPS / PEAP / 802.1x settings have been developed with a domain environment in mind. The configuration options haven't changed that much since a time when BYOD was not a hot topic yet. NAP was a solution that tried to tackle BYOD in a sense, but I learned myself on these forums recently that NAP has been deprecated (as it had been hard to provide NAP clients for all the different devices).

    On the contrary, I often have discussions about PEAP and NPS making it too easy to allow non-corporate machines access the domain network - as users only have to type in their credentials if clients are configured for user authentication, the user controls his machine's settings, and NPS does in general not doing strict two-factor authentication in terms of machine + user authentication for one "session".

    So it seems that Windows / NPS / 802.1x "sort of" fulfills either requirements - logon for domain-joined machines (probably using the TPM chip for machine certificates to make it more secure..) and "sort of" BYOD exactly in the way you describe it: Providing the user with a checklist.

    Elke

    Tuesday, July 1, 2014 2:10 PM

All replies

  • Hi,

    It is by design. Because the windows default setting doesn’t match your environment.

    You have two options,

    1. Add all of the devices in your domain. Use AD credentials to login.
    2. Edit the wireless profile manually.

    You have two choices to deploy certificate on your NPS server,

    1. Deploy your own certification authority
    2. Import a third-party certificate

    To deploy a CA and NPS server certificate, you may refer the link below,

    Deploying Certificates for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc754367(v=ws.10).aspx

    For detailed information, please view the article below,

    Checklist: Implementing 802.1X Authenticate Wireless Access

    http://technet.microsoft.com/en-us/library/dd283023(v=WS.10).aspx

    Hope this helps.



    Steven Lee

    TechNet Community Support

    Tuesday, July 1, 2014 9:58 AM
  • My take on this is that Windows NPS / PEAP / 802.1x settings have been developed with a domain environment in mind. The configuration options haven't changed that much since a time when BYOD was not a hot topic yet. NAP was a solution that tried to tackle BYOD in a sense, but I learned myself on these forums recently that NAP has been deprecated (as it had been hard to provide NAP clients for all the different devices).

    On the contrary, I often have discussions about PEAP and NPS making it too easy to allow non-corporate machines access the domain network - as users only have to type in their credentials if clients are configured for user authentication, the user controls his machine's settings, and NPS does in general not doing strict two-factor authentication in terms of machine + user authentication for one "session".

    So it seems that Windows / NPS / 802.1x "sort of" fulfills either requirements - logon for domain-joined machines (probably using the TPM chip for machine certificates to make it more secure..) and "sort of" BYOD exactly in the way you describe it: Providing the user with a checklist.

    Elke

    Tuesday, July 1, 2014 2:10 PM
  • Actaully what made me worried about this scenario is that I am also studying at a university and they have also recently setup 802.1x access for students on wireless network. My laptop is on my work place domain and I tried connecting with the available SSID at my university. I had to change nothing and it got connected after asking my user name and password. This made me to think about wireless network at my work place. Because I am responbsible for all the wireless setup and support and foresee that with BYOD policy in place it will be a hassle for staff and students (I am working at a college) to make manual necessary changes before they can connect to wireless network. I wonder what is different between wireless network at my work place and at my university where I am studying under the information provided by you.

    From your post I understand that NPS and PEAP with 802.1x is designed to be implemented with domain services in mind and not for devices which are not on domain. Obviously I can't put all sort of devices on our domain network. 802.1x and PEAP with NPS server is working very well but it just the windows systems will create issues when in next term students will bring their own laptops.

    So after this discussion I understand that users have to make maunal changes to connect to wireless network with NPS / PEAP and 802.1x authentication?

    I thank you both for taking time and for responding to my query.

    Tuesday, July 1, 2014 8:36 PM