This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Wireless
- ExtremeWireless (General)
- How to guide for Windows NPS certificate based aut...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to guide for Windows NPS certificate based authentication?
How to guide for Windows NPS certificate based authentication?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 02:20 PM
I am looking for a method of authentication for my Windows clients which does not require the use of a password. I would like to set it up so that if a device is a domain member, it's trusted to join the network. I think that I can do this with Computer certificates?
I have a Windows 2012 Server which is set up as a CA. And I have installed the NPS role. I think that I have come close to making this work - but I am completely lost in how to configure this. Starting with - what certificate am I supposed to use? Do I need to install that cert to the Extreme wireless controller?
Does anyone have a GTAC article or a how-to on how to set all of this up? If not - let's create one! There are way too many steps involved. And Microsoft's documentation is terrible.
I have a Windows 2012 Server which is set up as a CA. And I have installed the NPS role. I think that I have come close to making this work - but I am completely lost in how to configure this. Starting with - what certificate am I supposed to use? Do I need to install that cert to the Extreme wireless controller?
Does anyone have a GTAC article or a how-to on how to set all of this up? If not - let's create one! There are way too many steps involved. And Microsoft's documentation is terrible.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-27-2017 05:23 PM
Not sure that I posed it in the right place, but I put a "how-to guide" together for anyone else brave enough to attempt this feat.
https://community.extremenetworks.com/extreme/topics/how-to-guide-extreme-wireless-authenticates-dom...
https://community.extremenetworks.com/extreme/topics/how-to-guide-extreme-wireless-authenticates-dom...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-27-2017 03:05 PM
Everything worked fine until I tried to repeat these steps on a second Windows 7 laptop. This time, I ran into a brick wall. After a lot of digging I found that there is some sort of bug where Windows 7 will not accept an "invalid certificate". I am not sure what that is about, as the certificate is indeed *VALID* (and it worked fine on another laptop running Windows 7). Searching around in forums, I found a ton of other angry people with this same issue. I am thinking that it's "invalid" because my root cert is from my own trusted server, and not a money grubbing Verisign entity.
If anyone should run into that, here is the hotfix link.
If anyone should run into that, here is the hotfix link.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 06:48 PM
Thanks for the advice gentlemen. I think I may have finally got it working. I ended up starting over and deleting my "Connection Request Policy" and "Network Policy" from MS NPS and started over following this guide which kept everything very brief.
It also seems strange that I had to tie to policy to a certificate for the server itself. Not the certificate that shows as the root cert for the computer certificate (which was generated by force of a group policy). Absolutely nuts.
I am going to go back over this tomorrow and ensure that this is working as intended, and maybe write up some instructions on how to set this up from end to end.
And thanks for those docs you sent me Ron, those were quite useful!
It also seems strange that I had to tie to policy to a certificate for the server itself. Not the certificate that shows as the root cert for the computer certificate (which was generated by force of a group policy). Absolutely nuts.
I am going to go back over this tomorrow and ensure that this is working as intended, and maybe write up some instructions on how to set this up from end to end.
And thanks for those docs you sent me Ron, those were quite useful!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2017 03:06 PM
Hi Steve,
I've done it more then once but only for my lab setup via web enrolment of the client certificates.
In an production environment that wouldn't be a good solution because you'd need to create a cert for every client by hand - instead as Ryan mentioned a automatic cert enrolment via Windows group policy would be a far better solution.
I'll PM you two documents but I'd suggest to get some help from a Windows expert on the topic if you plan to do it in an production enviroment.
-Ron
I've done it more then once but only for my lab setup via web enrolment of the client certificates.
In an production environment that wouldn't be a good solution because you'd need to create a cert for every client by hand - instead as Ryan mentioned a automatic cert enrolment via Windows group policy would be a far better solution.
I'll PM you two documents but I'd suggest to get some help from a Windows expert on the topic if you plan to do it in an production enviroment.
-Ron
