Managed wireless problem - unable to find certificate to log on
We have purchased Ruckus to use as a managed wireless solution. We want to start by using it in a new build to the school. We have 10 AP's. We are using 802.x1 EAP with WPA2 and AES (this is all very new to us!)
Ruckus has helped us set up the Zone Director and configure NPS on our 2008 R2 server. We want users to be authenticated by their AD credentials.
When a user logs on, they can see the wireless network but when they try to connect it shows the message 'Windows was unable to find a certificate to log you on to the network’ I have done quite a bit of searching but can't find out how I can push the certificate generated from NPS to the clients. I can't even find out the location of where it is on the server!
I have been playing around with the wireless settings in GP and we can get clients to automatically connect to wireless networks with preferred settings but can't get passed this certificate issue. If we change some settings on the client to not use a certificate it works but we don't really want to do that on every client and presume using the certificate is the correct way?
Can anyone offer any help, advice or guidance to put us in the right direction?
I assume you are doing EAP-PEAP (username and password authentication). The error message you are seeing is due to the client trying to do EAP-TLS (certificate authentication) In the wireless settings on the client on the security tab set the authentication method to PEAP. Also by default PEAP will try to authenticate the RADIUS server's certificate, so you will also have to either untick the "Validate server certificate" box or export the certificate from NPS and install it on the clients -either manually or use GP to push the certificate out to the clients.
If on the other hand you are trying to do EAP-TLS, you need to set up a CA server and use GP to auto enroll your clients with a computer and user certificate.
Generally on a small network PEAP is the way to go and avoids the hassle of setting up a CA.
The validate server certificate option ensures that your laptops will only pass their AD credentials to your RADIUS server. Without certificate checking someone could setup a rogue AP advertising your SSID and your clients would happily and unknowingly pass their AD credentials to the rogue.