New Contributor

EAP-TLS with NPS and a specific OID

Hello everyone -


I've got a 7240 cluster setup and am testing against NPS for a new MDM (Airwatch) deployment and some upcoming SSID consolidation.


I am currently able to authenticate machines based on their submitting an Active Directory computer certificate. After a couple Micrsoft bumps this was relatively easy.


Now we're at the point where we want to use a particular generic certificate (yes, it's a bad idea, no, it is unlikely to change) to authenticate a group of MDM devices. Ideally we would pick out that cert, persumably via OID, and then use that to send back a VLAN and a role for the device.


I've come across two major issues here that I could use some help with.


First, no matter what I try to use in the Allowed-Certificate-OID, I'm failing. I've tried what I expected to work, the Enhanced Key Usage (, and that gives me a "The Enhanced Key Usage (EKU) Extensions, section of the user or computer certificate are not valid or are missing". I've tried the Certificate Template Information (, which throws the same error. I didn't expect it to work.


So...I'm at wit's end there. I don't know if my server guy has generated a certificate that won't work for this function, and I don't know where to tell him he may be going wrong. Or, of course, I could be doing something wrong with the NPS setup. I don't see how I could have done anything wrong on the controller, but I guess that's a possibility too.


Keep in mind here that, so far, I haven't even tried to send back roles of VLAN IDs. No point in that until I can manage to get things to connect correctly.


My second issue is more logic-related, I think.


Let's say I've got 4 different certs I want to use, and 4 different OIDs to look at for VLAN and role classification purposes. What trick can I use to make this work in NPS? When it comes to conditions it seems like we're fairly limited, and it sure seems to me that the Network Policies don't fall through until they get  a working connection, they fall through until they get a matching condition. If that first condition fails (for example here, I'm trying to connect with cert OID #2 and Cert OID #1 is the one checked in the first Network Policy), nobody is ever going to hit that second policy.


Basically, if clients coming in are all 802.11, all coming from the same controller, all coming in on the same SSID, they're not in an Active Directory group, and the only thing that differentiates the clients from an authentication perspective  is the OID in the cert they are providing...well, then what? Is this possible?


I know the preferred answer to all of this is "Use Clearpass". And that is actually in my future (hopefully) but, well, that's not happening soon enough to be of use here.


Any help here is quite appreciated.

Search Airheads
Showing results for 
Search instead for 
Did you mean: