- Airheads Community<\/a><\/p>\n<\/p>","upvoteCount":1,"datePublished":"2015-08-27T13:15:46.000Z","url":"https://community.spiceworks.com/t/possible-to-use-nps-for-radius-without-certs-for-non-domain-joined-clients/431031/6","author":{"@type":"Person","name":"brianlittlejohn","url":"https://community.spiceworks.com/u/brianlittlejohn"}},"suggestedAnswer":[{"@type":"Answer","text":"
Question is pretty much in the subject line.<\/p>\n
I’d like to use AD & NPS & RADIUS to authenticate wifi users but I can’t reliably deploy certs or special config to the client machines.<\/p>\n
Ideally I’d like the user to click on the SSID, enter their domain user name and password and get connected, whether they are domain joined or not.<\/p>\n
Is this possible with NPS RADIUS?<\/p>\n
I’ve had no success and have seen some articles suggesting this is possible, and some suggesting otherwise.<\/p>\n
Thanks for any guidance!<\/p>","upvoteCount":3,"datePublished":"2015-08-27T08:35:45.000Z","url":"https://community.spiceworks.com/t/possible-to-use-nps-for-radius-without-certs-for-non-domain-joined-clients/431031/1","author":{"@type":"Person","name":"cgadmin","url":"https://community.spiceworks.com/u/cgadmin"}},{"@type":"Answer","text":"
I have non domain joined computers connecting to my network with user/password, but I have to manually create the wireless profile to tell it to ignore certs and to use user authentication otherwise it just tries to use computer or windows login by default.<\/p>","upvoteCount":2,"datePublished":"2015-08-27T10:34:46.000Z","url":"https://community.spiceworks.com/t/possible-to-use-nps-for-radius-without-certs-for-non-domain-joined-clients/431031/2","author":{"@type":"Person","name":"brianlittlejohn","url":"https://community.spiceworks.com/u/brianlittlejohn"}},{"@type":"Answer","text":"
Yeah that was my experience too.<\/p>\n
I’d just insist on domain joining every company computer and deploy certs and then push all non-domain computers off onto a guest network (I’d know that they were all personal machines if they didn’t have the cert anyway) but the problem then would be what to do with devices that are company owned but aren’t domain joinable, e.g. android & IOS. I’m sure there are ways of setting them up but if it involves configuring one client at a time its not appealing to do (or ask users to do) for a zillion smartphones.<\/p>\n
Are there ways of having APs (I’m using Unfi APs) authenticate through AD without jumping through cert hoops? Some other RADIUS server? Something other than RADIUS?<\/p>","upvoteCount":0,"datePublished":"2015-08-27T10:48:39.000Z","url":"https://community.spiceworks.com/t/possible-to-use-nps-for-radius-without-certs-for-non-domain-joined-clients/431031/3","author":{"@type":"Person","name":"cgadmin","url":"https://community.spiceworks.com/u/cgadmin"}},{"@type":"Answer","text":"
As far as iOS it asks for credentials then pops up the certificate that you can tell it to ignore… real easy. Android does essentially the same thing.<\/p>","upvoteCount":1,"datePublished":"2015-08-27T10:50:49.000Z","url":"https://community.spiceworks.com/t/possible-to-use-nps-for-radius-without-certs-for-non-domain-joined-clients/431031/4","author":{"@type":"Person","name":"brianlittlejohn","url":"https://community.spiceworks.com/u/brianlittlejohn"}},{"@type":"Answer","text":"
Ah - that actually seems a bit more feasible for untrained users - they will click ignore to anything!<\/p>\n
I’ll be honest I have no experience with NPS, just trying to configure RADIUS - what is the certificate that the client is being asked to consider? Is it a cert for the NPS server itself? Is it possible to obtain a cert that the client will “already” trust (without being explicitly told to), e.g. some sort of paid certificate?<\/p>","upvoteCount":0,"datePublished":"2015-08-27T11:07:02.000Z","url":"https://community.spiceworks.com/t/possible-to-use-nps-for-radius-without-certs-for-non-domain-joined-clients/431031/5","author":{"@type":"Person","name":"cgadmin","url":"https://community.spiceworks.com/u/cgadmin"}}]}}
cgadmin
August 27, 2015, 8:35am
1
Question is pretty much in the subject line.
I’d like to use AD & NPS & RADIUS to authenticate wifi users but I can’t reliably deploy certs or special config to the client machines.
Ideally I’d like the user to click on the SSID, enter their domain user name and password and get connected, whether they are domain joined or not.
Is this possible with NPS RADIUS?
I’ve had no success and have seen some articles suggesting this is possible, and some suggesting otherwise.
Thanks for any guidance!
3 Spice ups
I have non domain joined computers connecting to my network with user/password, but I have to manually create the wireless profile to tell it to ignore certs and to use user authentication otherwise it just tries to use computer or windows login by default.
2 Spice ups
cgadmin
August 27, 2015, 10:48am
3
Yeah that was my experience too.
I’d just insist on domain joining every company computer and deploy certs and then push all non-domain computers off onto a guest network (I’d know that they were all personal machines if they didn’t have the cert anyway) but the problem then would be what to do with devices that are company owned but aren’t domain joinable, e.g. android & IOS. I’m sure there are ways of setting them up but if it involves configuring one client at a time its not appealing to do (or ask users to do) for a zillion smartphones.
Are there ways of having APs (I’m using Unfi APs) authenticate through AD without jumping through cert hoops? Some other RADIUS server? Something other than RADIUS?
As far as iOS it asks for credentials then pops up the certificate that you can tell it to ignore… real easy. Android does essentially the same thing.
1 Spice up
cgadmin
August 27, 2015, 11:07am
5
Ah - that actually seems a bit more feasible for untrained users - they will click ignore to anything!
I’ll be honest I have no experience with NPS, just trying to configure RADIUS - what is the certificate that the client is being asked to consider? Is it a cert for the NPS server itself? Is it possible to obtain a cert that the client will “already” trust (without being explicitly told to), e.g. some sort of paid certificate?
Its a certificate that resides on the RADIUS (Microsoft NPS) Server.
I haven’t tried to implement a 3rd party cert, but it seems possible… I dont know if this will work, but I did come across this … - Airheads Community
1 Spice up
