Even after reading many articles on similar situations, I am still a little confused...
Over the holidays I have configured Network Policy Server role on a Server 2012 R2 machine. Our wireless APs and controller are Ruckus.
I want to create 3 SSIDs:
1) is for staff only, authenticated by either Domain Computer or Staff user group in AD - (EAP Protected PEAP)
2) is for students own devices (Ruckus will transfer these devices onto a separate VLAN which will go through a transparent internet proxy) - I need this to be authenticated by a username only (from AD)
3) is for guests ( I dont need to worry about this one for now )
What I am struggling with is the authentication for staff/students. On some devices i.e domain joined machines or Apple iPhones/iPads the devices join fine for either SSID and installs a certificate. However I have some non-domain joined machines that just will not join at all and as soon as I choose either the staff or student SSID from the wireless network list and enter a valid username/password from AD, it just fails to connect.
I assume this is an authentication issue. Am I right in thinking that I can use NPS/RADIUS to connect a non-domain computer with just a valid AD Username?
Any ideas what might be wrong here?
On windows 7 and XP machines unless you use a trusted certificate, you will have to add the connection manually, then go into the advanced properties and un-tick the box that says 'Validate Certificate' it will then let you connect.
There are two ways round this. Firstly, buy a trusted certificate - not actually that expesive. Secondly, as stated above, import your root certificate onto devices, kinda defeats the object of BYOD. I recommend you buy a trusted certificate to secure your wireless with.
What I've done here to avoid these issues is to have the actual wireless connection un-encrypted and free to join, but there's a web based captive portal that users have to authenticate to before it will let them do anything. This is built into meru, and works a treat for our BYOD network. I just wish it would hand the authentication details onto our web filter, but it doesn't so users have to authenticate twice at the moment for BYOD. Yes I know the risks with unencrypted wireless, but it's a BYOD network and not the main network so the risks are relatively low and we are only a school, the whole lot is isolated in it's own NAT'd VLAN and only ports 80 and 443 go through the firewall.
By the way, untangle free edition is a fantastic firewall product for this sort of setup, easily installable and highly configurable.
@maniac - Thanks for this information. So to clarify, if I were to buy a trusted certificate, then all devices (including Windows XP and 7) non-domain machines would just be able to join the network using AD user authentication only? With no-need for our IT Team to manually get involved installing certificated or configuring manual networks?
If this is the case, could you explain the process a little more about obtaining a trusted certificate?
Essentially certificates work on a trust basis, so in order for your clients to trust your RADIUS server the certificate that it uses for its security and identity has to be issued from a trusted source. By default network policy server on Server 2008/2012 (I'm assuming you're using NPS as your RADIUS provider?) uses a self generated certificate which is issued to the server at the time of joining the domain in order to validate its self to the client, but obviously clients that are not part of your network won't trust this certificate because they don't know who issued it.
All you need to do is obtain a SSL certificate from a provider (such a go daddy for example) that is suitable for server identification. You need to make sure you request the certificate with the correct server name and then the make sure NPS is using this certificate.
You can see the certificate that NPS is using by looking at the PEAP properties in the network policy (I also assume you are using PEAP as it's the most common method of doing this.) To use a different certificate after obtaining it from a trusted certificate authority, you import it into the Computer Personal certificate store along with any intermediate certificates and then instruct NPS to use it, you will then be able to join anything to the wireless network without any errors.
There are currently 1 users browsing this thread. (0 members and 1 guests)