cancel
Showing results for 
Search instead for 
Did you mean: 

How to guide for Windows NPS certificate based authentication?

How to guide for Windows NPS certificate based authentication?

Steve_Ballantyn
Contributor
I am looking for a method of authentication for my Windows clients which does not require the use of a password. I would like to set it up so that if a device is a domain member, it's trusted to join the network. I think that I can do this with Computer certificates?

I have a Windows 2012 Server which is set up as a CA. And I have installed the NPS role. I think that I have come close to making this work - but I am completely lost in how to configure this. Starting with - what certificate am I supposed to use? Do I need to install that cert to the Extreme wireless controller?

Does anyone have a GTAC article or a how-to on how to set all of this up? If not - let's create one!  There are way too many steps involved. And Microsoft's documentation is terrible.
7 REPLIES 7

Steve_Ballantyn
Contributor
Not sure that I posed it in the right place, but I put a "how-to guide" together for anyone else brave enough to attempt this feat.

https://community.extremenetworks.com/extreme/topics/how-to-guide-extreme-wireless-authenticates-dom...

Steve_Ballantyn
Contributor
Everything worked fine until I tried to repeat these steps on a second Windows 7 laptop. This time, I ran into a brick wall. After a lot of digging I found that there is some sort of bug where Windows 7 will not accept an "invalid certificate". I am not sure what that is about, as the certificate is indeed *VALID* (and it worked fine on another laptop running Windows 7). Searching around in forums, I found a ton of other angry people with this same issue. I am thinking that it's "invalid" because my root cert is from my own trusted server, and not a money grubbing Verisign entity.

If anyone should run into that, here is the hotfix link.

Steve_Ballantyn
Contributor
Thanks for the advice gentlemen. I think I may have finally got it working. I ended up starting over and deleting my "Connection Request Policy" and "Network Policy" from MS NPS and started over following this guide which kept everything very brief.

It also seems strange that I had to tie to policy to a certificate for the server itself. Not the certificate that shows as the root cert for the computer certificate (which was generated by force of a group policy). Absolutely nuts.

I am going to go back over this tomorrow and ensure that this is working as intended, and maybe write up some instructions on how to set this up from end to end.

And thanks for those docs you sent me Ron, those were quite useful!

Ronald_Dvorak
Honored Contributor
Hi Steve,

I've done it more then once but only for my lab setup via web enrolment of the client certificates.

In an production environment that wouldn't be a good solution because you'd need to create a cert for every client by hand - instead as Ryan mentioned a automatic cert enrolment via Windows group policy would be a far better solution.

I'll PM you two documents but I'd suggest to get some help from a Windows expert on the topic if you plan to do it in an production enviroment.

-Ron
GTM-P2G8KFN