Some workaround tips:
One option is to perform manual Certificate enrollment. If your Windows machine is not domain-joined, you can manually enroll a machine certificate: Export the certificate template from the issuing CA (with private key). Use MMC > Certificates (Local Computer) to import it manually. Ensure Private Key is present and certificate is marked for Client Authentication.
Another option is to configure Wireless Profile via GPO or script. Use a local or script-based method to create a wireless profile with EAP-TLS. Select the correct certificate for authentication trusted root CA of the NPS server
The best way would be to establish a trust relationship between the domains so that the NPS domain can issue certificates to the client. This would allow GPO auto-enrollment to work.
You could also use SCEP / NDES for Certificate enrollment. Consider using SCEP or NDES to issue certificates to non-domain clients via a secure web service. This allows clients to request certs over HTTP and use them for EAP-TLS.
The easiest way to do, and which is recommended, is to have a Proper Setup " as per the book " where you would have the CA, AD, Machine, all in domain.
But
If domain joining is not possible then you would need to manually install a valid certificate on Windows, manually configure the EAP-TLS profile on the Windows client, and then perform the test of the setup and verify the event logs (Event Viewer > System / Security / NPS logs) for more details if the process was successful or if it failed (and why did it fail).
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
------------------------------
Original Message:
Sent: Mar 24, 2025 02:08 AM
From: avanindra
Subject: Is it necessary for Windows 11 Client device and Windows RADIUS server to be in same domain for 802..1x wireless EAP TLS authentication
Dear Shpat
Thanks for the feedback
Can you guide me , how to make the RADIUS server domain to trust the domain of my windows client
Regards
Avanindra Kumar Mishra
Original Message:
Sent: Mar 24, 2025 01:44 AM
From: shpat
Subject: Is it necessary for Windows 11 Client device and Windows RADIUS server to be in same domain for 802..1x wireless EAP TLS authentication
The certificate enrollment via GPO auto-enrollment typically requires the client to be in the same domain or a trusted domain as the issuing CA. this is because GPOs and auto-enrollment rely on Active Directory integration, which works only for domain-joined machines.
------------------------------
Shpat | ACEP | ACMP | ACCP | ACDP
Just an Aruba enthusiast and contributor by cases
If you find my comment helpful, KUDOS are appreciated.
Original Message:
Sent: Mar 24, 2025 01:41 AM
From: avanindra
Subject: Is it necessary for Windows 11 Client device and Windows RADIUS server to be in same domain for 802..1x wireless EAP TLS authentication
Dear Team
I am trying 802..1x wireless EAP TLS authentication with CPPM version 6.12.x and Windows 2022 RADIUS server
- The NPS root CA certificate is placed at trus center of CPPM
- Certificate Signing request has been generated using NPS server
- Group Policy is configured in NPS serever for client Autoenrolment
- This setup works with Android clients but not with Windows machine
- My Windows Machine and NPS server are in different domain.
- RADIUS Server (NPS) and CPPM are reachable but domains are different.Is it mandatory that both must be in same domain?
Is there any work around?
Regards
Avanindra K Mishra