none
Windows 7 NPS Global Certificate installation help RRS feed

  • Question

  • Hi,

    I have setup NPS Radius terminology in my test environment with Self Signed Certificate using ADCS MS Certificate Authority, i tested with Windows 10\7 Domain and non-Domain join PC both are working fine with no issues,
    for Windows 10 Domain joined PC when i click on WiFi SSID it prompts for authentication and warn on certificate auto installation trust related(since it is self singed certificate) and gets connected but for Windows 7 PC both Domain Joined and Non-Domain Joined PC i have to import the NPS Certificate and Root CA certificate(for workgroup PC) and need to install the certificate and manually add the WiFi SSID and inter-link the SSL by this it is getting connected.

    Is there any option like Windows 10 for Windows 7 PC instead of adding the certificate & creating the WiFi SSID manually for both Win-7 Domain & Work group PC it should prompts for certificate and connects automatically???

    I read in a article for Workgroup PC if connecting using Custom Signed certificate need to install the Domain Root CA along with NPS Certificate since it is local, when i go for Global Certificate e.g like GoDaddy Certificate,still i need to install the Domain Controller Root CA??

    Though i have my global wild card certificate like *.contoso.com i have setup my DC with subdomain name as DC.contoso.com since i didn't created a global Subdomain certificate for DC.contoso.com,by this case even if i create a NPS global certificate still i need to install the local Root CA of DC.contoso.com(since it is internal DC not publically exposed)???

    Any help please!


    Mohammed...

    Thursday, April 25, 2019 7:59 AM

All replies

  • Hi,

    It is the new feature of win10 to prompts for authentication and warn on certificate auto installation, so you need to update win7 to win10 to get the new feature.

    If you use global certification, I think it is not necessary to install DC root CA.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 26, 2019 5:43 AM
    Moderator
  • Hi Travis,

    Thanks for the Info, currently i have to demonstrate the Project with all Windows 7,8.1,10,MAC,IOS & Android platform as since few of our guest user and customer are still using Windows 7, i have no issues with Domain Users since i will push out the certificate and configure the WiFi SSID to my domain PCs through GPO, i am looking for a solution to guest and workgroup PCs, instead of manually installing and configuring the WiFi settings and SSL certificate to guest & Windows 7 PCs is there any option to configure once after the wifi prompts for authentication it should  install the certificate by self alike Windows 10 in Windows 7??

    If there is an option to configure NPS Radius just to prompts the User Name\Password alone not the certificate validation process for Guest & Workgroup PC???

     

    As there are 3 types of Authentication methods when i uses PEAP i need to have SSL SAN Certificate if i uses EAP-MSCHAP v2 will there be only option like user name password validation alone alike normal WiFi process??

    I mesmerize how RADIUS is practiced at production level, since having difficulty for  Windows,Workgroup\Guest PCs.



    Mohammed...


    • Edited by Mohammed_Jaz Friday, April 26, 2019 4:20 PM Picture included
    Friday, April 26, 2019 4:19 PM
  • Hi,

    I would suggest you uncheck option Verify the server's identity by validating the certificate.   

    However, the option is only valid for Windows.

    For other systems, you need to configure authentication methods without CA.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 29, 2019 8:59 AM
    Moderator
  • Hi Travis,

    I tried the above option but throws the error "The user attempted to use an authentication method that is not enabled on the matching network policy"

    I also remove RADIUS Attributes-->Standard option everything.

    No luck.

    I am trying to configure my Guest user and non domain user to just validate their user name password alone,.



    Mohammed...

    Monday, April 29, 2019 9:21 AM
  • Hi,

    Yes, you can crate a special NPS policy for Guest user and non domain user without using different authentication methods.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 30, 2019 8:39 AM
    Moderator
  • I tried the Authentication Method to MS-CHAP-v2 it prompts for Authentication and at the ends with error


    Mohammed...

    Thursday, May 2, 2019 2:58 AM
  • Hi,

    How did you configure the policy?

    Did you add authentication type(MS-CHAP v2) in conditions?

    Best regards,

    Travis



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 2, 2019 6:47 AM
    Moderator
  • Below are the screenshot for your kind reference and help.


    Mohammed...

    Thursday, May 2, 2019 7:28 AM
  • Hi,

    What about the authentication method on clients?

    Does the policy a new one? Or you just add a new condition in the old policy?

    I would suggest you delete the condition allowed EAP type in the policy.

    Best regards,

    Travis



    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 2, 2019 7:50 AM
    Moderator
  • What about the authentication method on clients?

    Does the policy a new one? Or you just add a new condition in the old policy?

    Which means i didn't understand.

    For Windows 7 i use to create the Wireless Network Setting and the policy type use to add, i am currently testing first at Windows 10 PC.

    Just ago i added that EAP Type earlier it was not there.

    Please clarify me is there the option to configure NPS for just User Name\Password authentication alone without certificate validation???

    If yes can you please help with some link or article for configuration.


    Mohammed...

    Thursday, May 2, 2019 9:05 AM
  • Hi,

    Sorry, I made a mistake. 

    NPS server needs certificate to authenticate 802.1x.

    Please refer to the link below:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d51b56b1-6d1d-4e4f-9888-9cb3a2ad27dc/nondomain-computer-certificate-authentication-in-nps?forum=winserverNAP 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/0f1c0ece-034f-473c-9343-d3c6129b2102/nps-connecting-to-nps-radius-without-using-certificates?forum=winserverNIS 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, May 2, 2019 9:31 AM
    Moderator
  • Thanks for the info, i were trying to configure NPS without certificate for Guest Users.

    From your above point and the links it affirms it is impossible to configure to my need.

    Anyways please help me out with the points, if i purchase public certificate for NPS.contoso.com  still i have to import the certificate and manually configure the Wireless network Settings for Windows 7???

    Also please clarify me do i still have to import the Root CA of my NPS server which is created using ADCS(Self signed) for all the non domain PCs???


    Mohammed...

    Thursday, May 2, 2019 10:56 AM
  • Hi,

    Yes, you need to import the certification to the NPS server and import root CA of public certificate authority on non domain PCs.

    You also need to configure the wireless settings for windows 7 manually because GPO can't be applied on non domain PCs.

    Please refer to the link below:

    https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 6, 2019 8:46 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 8, 2019 9:33 AM
    Moderator