NPS Authentication Methods

brianupshaw · 2017-10-03T15:09:01.000Z

I’m slowly learning about RADIUS as it pertains to Microsoft’s NPS server role. I’m wanting to implement 802.1x authentication for our wireless network as well as for port-based authentication.

However, I think I have a few misconceptions about how some of these authentication methods work/function, and some general questions.

I’m trying to authenticate BYOD devices on the WLAN using domain credentials.

I’ve got the NPS server up and the policies configured. RADIUS clients are added with proper shared secrets, etc. etc. However, when trying to connect a device to the test SSID, I enter my domain credentials, to which it responds that I am unable to join the network. PEAP is selected as the authentication method.

So, now my questions:

For the WPA2-Enterprise, does the authentication protocol I use need to support usernames/passwords? Everywhere I look it is recommended to use PEAP, however to my knowledge PEAP is purely a certificate-based method. Would i need to use EAP-MSCHAPv2 or something else to accomplish this?
IIf PEAP is the way to go, is a self-signed X.509 certificate acceptable? Given the supplicant device has no idea what server it should be connecting to, there is no identity for the certificate to validate, right?

Still a bit of a newbie with NPS so I apologize if the above isn’t properly worded/phrased.

duncanwhite · 2017-10-04T01:02:40.000Z

Here is my setup. I have two policies. One for computer-based certificate authentication and then this one which is for unmanaged devices which authenticates with AD credentials. I’m not game enough to remove one of the below EAP types during production hours so I can’t answer you question sorry. EAP is an “extensible” protocol so I imagine it can use many authentication methods. PEAP is just the encrypted version which then requires to certificate as shown below. I set this up a while ago but, from memory, I required this settings to get it to work with a variety of devices. I’m not expert on this though.

Capture.JPG800×470 66.5 KB

"…no idea what server it should be connecting to ". It’s not like the URL is known to the client, correct. But you do want a certificate that has the company name so that when users are prompted to trust it, they don’t get scared off by a warning. If you teach them to ignore it, you may find your self in a real life version of ‘the boy who cried wolf’. I don’t believe devices check for revocation (how can they without an Internet connection) but it stop a rouge AP from impersonating and stealing credentials.