Wireless Access

Hi,
I have setup Windows 2012 R2 NPS Radius Server with self signed Certificate,it is working great with no issues.
I have created two network Internal-Users and Guest-Users, i verified the working of both the network in Windows 7,10,MAC OS,Android Device by importing Root CA and NPS certificate in the devices and configuring the Wireless Network manually by this case it works fine.
I have no issues for Domain Joined PC,as will push out the certificate and configure the Wireless network Setting through GPO for both Windows 7,10 PCs.
In case of non domain PC,MAC OS,Android & IOS most of the Guest user tries to connect the WiFi by this time i have to manually install the certificate and for Windows 7 have to setup the network settings as well,this remains the meaningless on the purpose of NPS,so my managment advise to configure guest network without certificate validation which means just user name password authentication alike normal WiFi connection.
I searched google for the possibility and found it can be configure as MS-CHAP-v2 for this authentication, i tried configuring new network policy with the below settings, it prompts for authentication but ends with error.

I planned to purchase a public signed certificate from GoDaddy for NPS SSL for non-domain PCs,Mobile but i doubt still i need to install the Root CA of my ADCS and again have to create the Wireless network settings for Windows 7 PCs??

I amuse how Radius are practicesed in real environment in case of Windows 7 PCs, global certificate etc.
Any help would be highly appreciated and thank.

Thanks in advance.

 

Try this, It working for me.

Thanks for the Reply, yah PEAP with Secured Password EAP-MSCHAP v2 works fine for me too as mentioned for Domain PCs i have no issues for workgroup PC i have to install the certificate manually in every PCs and need to configure the Network Settings that makes frustration to my Guest users,so i am trying to configure Guest User with just User Name password authentication without the requirement of certificates.

Any help!

Configuring PEAP-MSCHAPv2 has been made hard by Microsoft for good reasons. As you found out, in a domain you can automate things via group policies, for unmanaged devices you could have a look at a solution like ClearPass Onboard.

 

I would try to avoid PEAP-MSCHAPv2 for devices that you can't control, as unless you properly control the device configuration there are significant risks that your user credentials can leak due to the fact that MSCHAPv2 is 'known broken' for years.

"for unmanaged devices you could have a look at a solution like ClearPass Onboard."

Oops i dont know what it meant by clearpass onboard here???

I have little doubts about the below points can you please help me to clarify

1. For Windows 7 PC still after purchasing the Public SAN SSL still have to install the Root CA of my AD to non domain PCs,Phone,MAC??

2. Also do i still have to create Wireless Network Settings manually at Windows 7 after the Public SAN SSL??

3. Comments about MS-CHAP-v2 vulnerability i found the same information as mentioned below, still i wanted to try if User Name\Password authentication alone can be evoke in NPS with Certificate needs??

 

 

 

 

https://www.arubanetworks.com/assets/ds/DS_ClearPass_Onboard.pdf

Clearpass would replace your NPS and onboard is one of its modules.

 

1) For EAP-PEAP your clients need to trust the server certificate. 

If you use a publicly signed certificate it realy depends on their trust list. Not every device has every (ior even any) trusted CA listed.

 

2) For AD clients you would preferably use GPO's to distribute the network settings to your clients. Also distributing your trusted CA to AD clients is something that can be done within AD. 

 

3) not sure what your question is here. 

 

- Looking at the screenshots..

@kts is almost correct. Yes you want to click the Add button and add  PEAP like in his second screenshot.

Howver, for EAP-PEAP Mschapv2 you must not check ANY checkboxed under "Less secure authentication methods". So do NOT check MS-CHAP-v2 or MS-CHAP here!

 

For guest users, I realy have to agree with @Herman Robers, do not use 802.1X for them.

 

 

I think you need to take a step back here and look at and explain what you are trying to achieve.

I see you mentioning guest users. What kind of guests are they? Are they visitors that just need internet access? If not, what kind of access do they need?

Why not simply use a captive portal authentication for guests? 

 

For true guest users NPS is realy limited. I wouldn't want to create AD accounts for guests. I would rather use a controllers internal db to authenticate those if Clearpass was not an option.

Thanks for your detailed reply @koen Yes Guest are the visitors they required just internet access alone, not to other resources. We have some top users they are using MAC book they will come under internal users for them both internet and internal resources need to access. I have one big concern is though after purchasing the Public SSL for NPS still i should import the Root CA of my AD server for these MAC book and Android Phones to trust this certificate???? or else the public SSL itself will authorize?? For guest users it seems there is no such option in NPS to achieve what my management are predecting, upon your suggestion i will have to configure captive portal for Guest Users at my perimeter firewall only. Is there any option in NPS for captive portal facility??? Thanks once again for all the valuable replies!

Why not Captive Portal for guests?

 

Have to agree again with cjoseph..

Don't bother guests with 802.1X authentication. You will run into issues like certificates and client config that you REALY do not want to touch.

 

If you use a public server cert, that is all your client needs to trust. So no need for any internal PKI certs.

 

Captive portal is a feature of your controller/InstantAP/Central setup. It does not require an NPS server to work although if you realy wanted (typically, you do not) you could still use NPS to authenticate your clients.

Usually people get a fully fledged solution (Clearpass) or for basic stuff use the internal database to authenticate guest users.

 

Captive portal is an additional authentication layer above , usualy, an open network. Open means no client configuration whatsoever.

A captive portal srviced over https does also require a publicly signed server cert on the controller (and Clearpass if used) but is much less hastle than trying to use NPS for guest authentication.

Your clients browsers should typically already trust most publicly signed certs.

 

 

 

If you use a public server cert, that is all your client needs to trust. So no need for any internal PKI certs.

 

Thanks for the informations, i am using UniFi Access point i have captive portal option available in this, can i manipulate my captive portal authentication as well through my NPS server????

If  there is the option for captive portal authentication using NPS can anyone please share me any article to try.

I found NPS useful but i am facing issue with Guest User authentication, if i can able to control both the internal and guest user wifi connectivity through NPS that would be the more delightful to control all the Wifi through NPS.

Any help please!

Thanks for detailed explanation!!!

https://www.youtube.com/watch?v=CN80XVEsg0I

Referring the above link i tried configuring PAP captive portal authentication but i receives the error attached..

Currently i have configured DLink-DAP2230 Wireless Modem and changed the mode to Access point.

Any help or link please for the configuration of NPS Based captive portal setup.

Your error means that your connection did not match NPS' Connection Request Policy.. So you need to make sure you have a policy there that matches your requests.

When i use Certificate with PEAP-MS-CHAP-v2 Authentication it is getting connected fine with no issues only the problem is with Windows 7 Network Setting have to do manual.

I am trying Captive portal authentication using NPS now,i configured accordingly but receives that attached error.

I would be more pleased if someone share an article for NPS Captive Portal Authentication.

 

Earlier i had configured the Authentication Wireless Settings to WPA-Enterprise, now changed to Open System.

When i connect to my open wifi it gets connected even my DHCP Server distributes the IP address when i browse for any site instead of showing the captive protal of my DLink Device it shows "Server Not Available error"

Earlier i had not configured the captive protal URL Path now configured the url path entered my DLink AP IP itself at its captive portal web page.

My NPS Server IP is 192.168.9.125

and my DLink AP IP is 192.168.9.181.

Attached picture for reference.

Though client gets connected and IP gets assigned to open wifi connection but the authentication captive portal is not appearing again the same error code 48 " The connection request did not match any configured network policy"  receives.

Can anyone please share NPS with Captive Portal authentication configuration article, i feels i am making some mistake that is what its not processing for captive portal display page!

Thanks in advance.

 What you need to configure on your NPS is dependant on what your wireless equipement sends. This can and does differ between products and brands,

 

And.. you did notice this is an Aruba Networks community right?  

I think you might have more luck finding people knowledgeable about D-Link at the... well, D-Link forums.

try this...