locked
NPS - policy for "only" password (as your home router often is) RRS feed

  • Question

  • Hi

    We run a NPS together with HP Wifi and authenticate our users with certificate & AD group computer membership.

    Now I need to add a 2nd option to allow a few outside users access to our internal network. 

    Right now they're using LAN cable but it's not really a viable solution..

    I can't seem to find the right way to set this up..

    Can someone guide me :-)


    Kindest regards, Martin

    Thursday, February 9, 2017 5:37 AM

All replies

  • Hi,

    Create new accounts and group for outside users,then create a new network poliy with conditions about user group,nas port type,authentication type.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 10, 2017 2:36 AM
  • Hi Cartman

    Thx... so they would have an AD account just for wifi? 


    Kindest regards, Martin

    Tuesday, February 14, 2017 7:06 AM
  • Hi,

    Use AD account is easier to perform permission control and local account.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, February 15, 2017 2:36 AM
  • Hi Cart

    Thanks.. I tried creating the policy and testing on my phone worked.

    However testing on a laptop from external user I just get: cannot connect. It doesn't ask for username/password or anything..

    Here's the setup I did:




    Kindest regards, Martin

    Wednesday, February 15, 2017 2:19 PM
  • Any thoughts on what I am missing?


    Kindest regards, Martin

    Wednesday, February 15, 2017 2:20 PM
  • So the 1st policy is the company policy which authenticates the computer against a domain group and looks for a certificate.

    I haven't tested with the External policy as priority 1 since I wasn't sure if it would affect the company users/computers.


    Kindest regards, Martin

    Wednesday, February 15, 2017 2:21 PM
  • Hi,

    You should set the new policy as priority 1 and test again.It has a condition user group,eveny one not in this group will go to policy 2.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 17, 2017 8:09 AM
  • Thx Cartman

    That got me further and I am now prompted for password

    But entering username/password for one of the users in the group doesn't work. I just get a "cannot connect to blablabla" from Windows..

    I tried all constellations of domain\username, username, domain.local\username etc etc

    I must be missing something :-|


    Kindest regards, Martin

    Friday, February 17, 2017 2:12 PM
  • hum... do I need to install the root certificate on the external users computers?

    I checked the eventlog for one of the computers and there was a schannel error. Certificate presented not trusted etc...


    Kindest regards, Martin


    • Edited by Martin Rask Monday, February 20, 2017 7:27 AM extra info
    Monday, February 20, 2017 7:26 AM
  • Hi,

    I was thinking you don't want to use certificate any more.

    So if you could,please check this similar thread,it gives 2 way to deploy:

    non-domain computer certificate authentication in NPS                                

    https://social.technet.microsoft.com/Forums/office/en-US/d51b56b1-6d1d-4e4f-9888-9cb3a2ad27dc/nondomain-computer-certificate-authentication-in-nps?forum=winserverNAP


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, February 23, 2017 3:46 AM