1

Greetings - I’m following this procedure to enable RADIUS authentication for wireless clients:

http://community.spiceworks.com/topic/198931-non-domain-devices-on-my-domain-wifi-network

The OP follows up saying he can authenticate ANY device as long as the user has a domain username/password (here: http://community.spiceworks.com/topic/198931-non-domain-devices-on-my-domain-wifi-network ).

I am looking to allow ANY device to connect as long as the user/password is a valid domain user (in certain AD groups - I’m using “Domain Users” for testing). I have a lot of non-domain devices with valid users in this situation.

At this point, I can’t get any device to connect and authenticate - even domain-joined devices.

Questions:Can I allow devices to connect if a valid user/password is entered (being a member of groups I specify in the NPS Policy, of course)?

Is a certificate required for any device whether domain-joined or not?

(Also, it seems in Windows 8.1, we can no longer get to the wireless connection properties to manage some of the settings - such as the checkbox to “use Windows user”)

Thanks in advance!

3 Spice ups
2

I actually figured it out, by changing the cipher to TKIP (despite the warning on the link mentioned in OP). The goal is to allow users to authenticate to the wireless network with their domain user and password - whether the device is domain-joined or not (those are the requirements I have to work with on this project - not best practice, I understand, but best practice and decision-makers are often not on the same page).

First, in the Role for Network Policy and Access Services, make sure the RRAS and NPS role services are added.

I added a RADIUS Client for the Ubiquiti AP’s (not the UniFi management station).

In the NPS, I changed the Network Policy to:

Overview:Enabled, Grant Access, Type: unspecified

Conditions:User Groups (specific AD groups)

Constraints (here are the key settings)Authentication: EAP (PEAP), MS-CHAPv2, MS-CHAP, CHAP, PAPNAS Port: Wireless

Settings:No changes (in this network, the wifi clients get DHCP, VLAN on same subnet as wired clients)

3

Follow-up on this - using TKIP limits the wireless connection to 802.11g speeds only!

Another option is to use a 3-rd party signed certificate on the NPS server (import into the local cert store under Personal) and set the Constraints tab with:

PEAP -

  • choose the 3rd party cert
  • EAP Types: EAP-MSCHAPv2

Note that on your AP’s, you set the security to WPA2-Enterprise, and the cipher to AES/CCMP (or similar, depending on the platform).

I’ve successfully tested these settings with both Cisco and Ubiquiti AP’s.

Good luck!

1 Spice up