Struggling with NPS and 802.1x

[blin]

I'm trying to set up a Windows Server 2008 R2 NPS to support 802.1x for both wired and wireless networks. The intention is that for both categories of network, the NPS will provide VLAN information back so that the user or computer is placed in the correct network. I am trying to use user & computer certificates, issued from our own PKI, to achieve this.

Although I have the NPS set up for both wired & wireless authentication, I'll focus on the wireless for now as the configuration should be roughly the same as far as authentication goes, just with some additional conditions/constraints for checking where the request has come from.

I have the following Connection Request Policy defined:

•Secure Wireless Connections
The "Secure Wireless Connections" CRP requires that the NAS Port Type is "Wireless - Other" or "Wireless - IEEE 802.11", and that the Called Station ID ends with the name of the SSID used by staff. The settings override the network policy authentication settings and allow "Microsoft: Smart Card or other certificate", and "Microsoft: Protected EAP" for Secured Password.

I have the following Network Policies defined, in this order:

•Wireless - technical staff
•Wireless - non-technical staff
•Wireless - technical computers
•Wireless - non-technical computers
"Wireless - technical staff" has these conditions:

•User group must match "WIN\GRP-TechnicalStaff"
•NAS Port Type must match "Wireless - IEEE 802.11 or Wireless - Other"
•Called Station ID must end with the staff SSID
The settings specify the VLAN information and specify Strongest encryption.

"Wireless - non-technical staff" differs in that instead of the user group matching "WIN\GRP-TechnicalStaff", the Windows Group must match "WIN\Domain Users". The reason for the change from "user group" to "Windows group" is because I'm trying to troubleshoot an access issue which I've explained below. The settings specify different VLAN information.

"Wireless - technical computers" specifies that the machine group must match "WIN\GRP-TechnicalComputers" and specifies the same settings as "Wireless - technical staff".

"Wireless - non-technical computers" specifies that the machine group must match "WIN\Domain Computers" and specifies the same settings as "Wireless - non-technical staff".

The problems I'm having are:

•User authentication is always by secured password and not by certificate. I have learnt that certificates created with a Version 3 template are not supported by NPS and I've reissued some test certificates with a Version 2 template but they aren't working either.
•It doesn't look like the "Wireless - non-technical staff" network policy is working properly. If I try to connect with a user that is not in the GRP-TechnicalStaff group, processing falls through to computer authentication! This is why I've been fiddling with how the membership is tested.
Any suggestions or advice gratefully received!

[blin]

> User authentication is always by secured password and not by certificate.

Have you specified on client to perform certificate based authentication (PEAP-TLS or EAP-TLS)?



Configure Wireless Computers Running Windows Vista for 802.1X Authenticated Access

http://technet.microsoft.com/en-us/libr ... 3021(WS.10).aspx



> If I try to connect with a user that is not in the GRP-TechnicalStaff group, processing falls through to computer authentication!

Have you enabled to use “machineOrUser” credentials for authentication on client? try to verify the authMode (OneX) element value in profile XML file:



authMode (OneX) Element

http://msdn.microsoft.com/en-us/library/ms706279.aspx



How to enable computer-only authentication for an 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3

http://support.microsoft.com/kb/929847



For more information please refer to the procedures in the link below:



802.1X Authenticated Wireless Access

http://technet.microsoft.com/en-us/libr ... 1455(WS.10).aspx

[blin]

The information was helpful, thank you, and I have marked it as the answer. I had not been using GPOs at this stage because I wanted to get the individual settings right to begin with before GPOs locked them down. It turns out that although I had deployed the correct revised certificates, my laptop was set to Computer Authentication only, hence the issues I was seeing. Changing it to user & computer fixed the problem.