Client validation is optional for some clients. Not mandatory. I only note this because you can get yourself in trouble with this one ;)

Sent from Cisco Technical Support iPhone App

Love this forum. Thanks guys.

I will try it at lunch time and update/rate your responses

I would assume that since your NPS is part of the domain, when you bring up the new CA, it would push certificates to all existing servers.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Yeah Scott.

Not a best practice but we promoted a second enterprise CA in tandem with the first.

We only use certs for two things.. OCS and Wireless so it isnt a big deal to revoke.

The second GC came up about a month ago. Anyone who hasnt gotten it as a trusted root will have issues but that should be pretty small. We already did OCS and weeded most of the problems then.

Do you think changing the cert on the Radius server will cause users to reauthenticate? If there is a problem and it doesnt work would I see it right away with existing active connections or only when a use tries to connect ? Know what I mean?

If you are validating the server certificate, then yes that will be an issue.  You would have to trust that new server certificate, push that out in GPO and then adjust the GPO wireless profile to trust the new server certificate.  It might be easier if you are validating the server certificate is to push out a new wireless profile that doesn't validate the server certificate.  This way devices will not be affected.... Then put the new certificate on the NPS and allow devices to connect and monitor any issues.  Then you can update the wireless GPO policy to trust the new server cert.  This way, since most people never plug in, they will still be connected to the wireless and able to get a GPO push.  Makes sense?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Validating the certificate is a double edge sword. It takes planning.

From personal experience I will leave you with this one statement: If you validate the certificate, you need to make sure you have a means to manage that change through a PUSH mechanism. There will come a day that you might need to change the name of the trusted site. If you don't have a means to push, then you will need to touch each and every device. 

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Went into NPS... changed the cert for the new one. My existing connection stayed up.

Disconnected and joined another WLAN.. reconnect to the 802.1x net no issues.

Rebooted and automatically connected the 802.1x net

Joy

Thanks to all !!

Glad you got it working!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"