RADIUS for non-domain devices

ultrak2 · 2015-02-12T20:27:08.000Z

Greetings!

I am in the process of setting up my DC as a RADIUS server for wireless authentication. I was wondering if it was possible for devices that are not able to join a domain (Windows 7 Home Edition) to join using a valid AD account and password. We have some stragglers whose computers aren’t upgraded but use an AD account for things like file shares.

And documentation links would be greatly appreciated.

Server: Windows Server 2008 R2 Standard

Meraki APs

steveb1352 · 2015-02-12T20:54:24.000Z

Totally. Auth queries the NPS/AD, no need for the computer to actually be part of the domain.

steveb1352 · 2015-02-12T21:07:08.000Z

Here’s some good info. The wireless side is on a cisco controller, but the NPS side is what you’re looking for anyway.

Cisco

Configure NPS, Wireless LAN Controllers, and Wireless Networks

This document describes how to configure the PEAP with MS-CHAP authentication with the Microsoft NPS as the RADIUS server.

For Meraki, each AP you have needs to be a RADIUS client in NPS. I’ve ran into a problem where if the RADIUS shared key is too complex, Meraki APs don’t seem to like it. It may have been fixed, but just something to look out for.

ultrak2 · 2015-02-12T23:50:32.000Z

Thanks a lot Steve! I was able to get the Meraki APs added as clients and domain PC’s to join the network but when I try to join from a non-domain PC I get a UAC style prompt. After entering a user and password I’m prompted with an EAP-TTLS prompt that asks for Domain\user name and password (token). When I enter a valid account and password I get a “Windows is unable to Connect” error. It’s strange because when I connect via an iphone I simply put in a username/password and accept a certificate.

steveb1352 · 2015-02-13T00:11:40.000Z

Are you actually using TLS as an EAP method, or PEAP? What do the NPS logs say?

https://communities.intel.com/servlet/JiveServlet/previewBody/4321-102-1-7037/SImple%20NPS%20Configuration%20as%20Radius%20Part%201.pdf

Check that link too to verify config with another NPS guide. That has NPS for wired, but just replace that with wireless.

Can you screen shot your network policy tabs and post them quick

ultrak2 · 2015-02-13T16:13:00.000Z

Capture1.PNG800×547 79 KB

Capture2.PNG800×414 58.6 KB

The logs show Event ID 6273 Denied access to a user. The user I am attempting to add is part of the allowed security group as well.

ultrak2 · 2015-02-13T18:13:00.000Z

So on the Windows Home machine if I edit the wireless connection properties untick the Validate Server certificate, remove the automatic login with local credentials, and then specify the AD account with permission to join I can join!

This seems like more of a band-aide than a fix… Maybe this will help us push everyone to domain PCs.

CaptureStuffs.PNG391×553 31.1 KB

Capture.PNG385×506 24.6 KB

Thank you very much for the help!