+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, Possible to bypass Network Policy Server for smartphones? in Technical; We have NPS component installed on Server 2008 R2 with a policy to only allow certain Windows laptops (from an ...
  1. #1

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Possible to bypass Network Policy Server for smartphones?

    We have NPS component installed on Server 2008 R2 with a policy to only allow certain Windows laptops (from an AD group) to connect to our wireless network. This works great. However, it also prevents smartphone/tablet devices from connecting as we can't add Android or Apple devices to the AD group. Yet we still require the devices to connect using 802.1x so users can be authenticated. If I remove the condition in NPS so that all devices can connect, smartphones connect fine, but then this allows any device to connect.

    Is there any way to allow non-Windows devices to not be restricted by the condition in NPS?

  2. #2

    Join Date
    Dec 2009
    Location
    Woking
    Posts
    94
    Thank Post
    0
    Thanked 17 Times in 17 Posts
    Rep Power
    12
    You can add a Windows User group to the NPS policy. For example setup a new AD container for Smartphone users and only add the users that should be allowed to connect their smartphone. You can then log in with the AD username/password

  3. #3

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by paulfinlay View Post
    You can add a Windows User group to the NPS policy. For example setup a new AD container for Smartphone users and only add the users that should be allowed to connect their smartphone. You can then log in with the AD username/password
    Thanks. The only problem with this is the NPS machine policy in which we have laptops in will still exist, still preventing phones. If I remove this machine policy and use users only, it will allow any user to connect with any device. If I use users only but with MAC filtering, we'll need to add the MAC of hundreds of laptops.

  4. #4


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,591
    Thank Post
    228
    Thanked 856 Times in 735 Posts
    Rep Power
    296
    cant you set up a 2nd wifi ssid etc with its own certificate thats user based allongside the existing one or can the aps/management module only handle 1 ssid/cert?

  5. #5

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I can indeed setup a new SSID. I made a new one and had it set to 802.1x. When connecting on the phone with this new SSID, it prompts for my AD username and password, it tries to get an IP address from our DHCP server, and I think NPS kicks in and prevents the phone connecting. If I go into NPS and remove the condition to only allow laptops, it works. I don't mind having a new SSID but why is NPS still kicking in?

  6. #6

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,617
    Thank Post
    648
    Thanked 1,618 Times in 1,448 Posts
    Rep Power
    421
    I use nps to secure my wireless and only allow domain laptops to login to the wireless by having a group to which they are added, I also have a second group which contains users that are permitted to logon to the wireless..

    My domain laptops are configured to logon via their machine accounts but I log my smartphone on via my user account which is in the second group, this is what I believe you are trying to acheive

    Ben

  7. #7

    Join Date
    Sep 2011
    Posts
    162
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by plexer View Post
    I use nps to secure my wireless and only allow domain laptops to login to the wireless by having a group to which they are added, I also have a second group which contains users that are permitted to logon to the wireless..

    My domain laptops are configured to logon via their machine accounts but I log my smartphone on via my user account which is in the second group, this is what I believe you are trying to acheive

    Ben
    Thanks, that sounds like exactly what I need. I've tried making a new AD group, put my user in it, added it in NPS, made a new WLAN, still won't allow me until I specifically remove the machine condition.

  8. #8


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,638
    Thank Post
    275
    Thanked 778 Times in 605 Posts
    Rep Power
    223
    Set up two network policies. NPS (or Radius, as that's the sub-component you're using) will pick a match from top to bottom.

    We have two:

    Member of "AuthBYOD" user group.
    Domain Hardware.

    Meeting either policy lets you in.

    NPS > Policies > Network Policies

  9. #9

    Join Date
    Dec 2009
    Location
    Woking
    Posts
    94
    Thank Post
    0
    Thanked 17 Times in 17 Posts
    Rep Power
    12
    You don't even need a second policy. Just add the AD user group you want to allow to the existing NPS policy. The smartphone will be allowed in if the username belongs to the group added to NPS.

SHARE:
+ Post New Thread

Similar Threads

  1. network policy server/radius
    By lafleur1977 in forum Enterprise Software
    Replies: 0
    Last Post: 5th October 2011, 09:49 PM
  2. Network Policy Server
    By Koolvin in forum Wireless Networks
    Replies: 1
    Last Post: 14th July 2010, 08:24 AM
  3. Replies: 8
    Last Post: 21st November 2007, 03:02 PM
  4. is it possible to rename an exchange server
    By timbo343 in forum Windows
    Replies: 15
    Last Post: 20th October 2007, 07:09 AM
  5. Fix or disable XP Pro "logon to box" on 2003 Server network
    By tazz in forum How do you do....it?
    Replies: 2
    Last Post: 29th August 2007, 03:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •