Awesome article, Rene
I have AD, DNS and DHCP configured on a single machine and will try to implement the same in test lab.
How can i prevent mobile devices from connecting to wireless network if NPS and EAP-TLS is configured. We occasionally require mobile access over wireless network, how can it be done
Hi Shrry,
A single machine is perfect for testing. What kind of mobile devices do you want to block? They are in your active directory but you still want to block them?
Rene
MObile device like Android, IOS, Nokia and others. they are not in my AD now
just wanted to all domain computers to join wireless network otherwise they wont be able. secondly AD user (wifi1) will be created only if the computer is on workgroup otherwise domain user will be able to connect wireless without any issue ?? am i interpreting right
Will only implement EAP-TLS, Do i have to manually configure PEAP on client machine if EAP-TLS is used
how to add an additional check in NPS that verifies if the laptop has joined the domain or not. If not, the user wonāt be allowed to connect
You can add an additional check in NPS so it checks if the devices is in the domain or not, thereās an example on the Aerohive website for this:
This allows you to prevent non-domain computers/devices to connect.
just wanted to know whether all domain computers will be able to join wireless network or not. secondly AD user (wifi1) will be created only if the computer is on workgroup otherwise domain user will be able to connect wireless without any issue ?? am i interpreting right
Will only implement EAP-TLS, Do i have to manually configure PEAP on client machine if EAP-TLS is used
Dear Rene,
While connect my laptop on EAP-TLS its showing that I dont have the required certificate where as it is currently displayed on laptop at MMC > Certificates (Local) > Trusted > certificates
but still unable to connect to wireless network. What might be the problem
A certificate is required to connect to (network name)
contact your network administrator
Hi shrry8,
The trusted certificate is your CA but what about your client certificate? Did you install it on your laptop? When you try to connect with EAP-TLS, itāll prompt you what client certificate it should select for client authentication.
Rene
Yes, its showing and I am selecting CA certificate on client
Even tried PEAP, after login in its giving the same error and i donāt know what is wrong with my test setup.
my email is shrry8@gmail.com if you can drop your email so i can send you the screenshots of my configuration
Hi Rene,
I would like to play around with setting up this whole lab. My question is: What kind of Wireless Lan Controller I can buy without breaking the bank? Can I use my netgear wireless AP to be control by the Cisco WLC? or I have the but a cisco AP?
Please advise.
Hi Alfredo,
If you just want to practice this setup then you really donāt need a fancy wireless controller and access points. Most wireless routers (even a cheap netgear) will support WPA(2)-Enterprise which is what we are doing here. Most of the work is configuring the Windows servers and the wireless clients.
I would only buy a Wireless controller and access point(s) if you want to learn more about Cisco wireless and/or how to implement wireless with multiple access points. If you want to learn more about wireless in general (802.11) then you can learn a lot even without buying hardware.
If you want to learn about Cisco Wireless then I would suggest the WLC 2504. Those arenāt too expensive and you can get the latest updates for them. If you buy an older one like the WLC 2106 then you might run into issues because you canāt get the latest updates for those anymore. Iād have to look into a good access point if you are interestedā¦
Rene
Hi Rene
The tutorials help me a lot with Windows enviorment thanks, but now I have the following issues I hope you can help me,
The topology is
Two servers(2012R2) with NPS(they are in two tier CA authority rootCA->subCA->userCA)
Scalance Accespoints W788(pointing to the two NPS servers)
Linux embedded box(supplicants)
The problem is when the linux box connects to the NPS server, I get in the NPS sever Event ID 6273 Reason Code 48 y tried to modified network policys but no luck, the linux box is configured like this in the wpa_supplicant.conf (I still dont put the certificate in the linux because i want to first try this way):
network={
ssid=āSSIDā
key_mgmt=WPA_EAP
eap=PEAP
phase2=āauth=MSCHAPV2ā
identity=āuserā
password=āpassā
}
Another question Āædo I have to import certificate like you did in the android device? in this case Āæit will be a user certificate and the subCA certificate?
Thanks
Regards
Hi Eugenio,
You are welcome. Event ID 6273 Code 48 normally means that there was no match with any of your NPS policies. I would start by checking those, see if you forgot anythingā¦make sure the incoming request matches your policy.
Your wpa_supplicant.conf file looks fine, if you use PEAP then you wonāt need any client certificates. The client will validate the server certificate but you can choose to ignore this.
Rene
Hi Rene
Under 802.1x settings why do we need to select authentication mode
What does it mean by user authentication or āuser or computer authenticationā
Thanks for the nice tutorial
User authentication is for users, someone that can type in a username or password. Computer (machine) authentication can be used for things like printers or access points. Also in windows itās possible to authenticate based on the computer name.
Hi,
The only differnces with PEAP and EAP-TLS is , first one using user identity for authentication and the other one uses certificate for authentication ? .
Thanks
Hi Sims,
That is the main difference yes. PEAP uses username/password for user authentication and EAP-TLS uses client certificates for user authentication.
Rene
Thanks for the post Rene. Iām using a Cisco AIR-AP1231G-A-K9 as my AP. Are you able to show the steps required to set up the AP from the CLI please? I donāt use any of the GUI tools to do my configurations on my Cisco gear. I find them a PITA to set up as they require certain versions of Java and IE to run and the grief is not worth it. It is also more challenging to use the CLI and I believe I get a better understanding using it.