05-02-2023 11:40 AM
Working on a 9800 configuration and have it setup w/ a radius server for 1 of the SSIDs. That radius server is a Windows server w/ NPS and it's currently configured to only allow domain joined computers. Created a GPO and assigned it to the correct OU and have validated that all is working.
As the SSID is set to broadcast, a non-domain computer or smartphone can attempt to join, which fails. If they keep trying to connect, they get a login prompt asking for username and password. If they use valid credentials they're unable to login, which is expected; the question has been asked if it's possible to simply not display this prompt at all. So if they keep trying nothing happens, they just fail to connect.
05-02-2023 10:58 PM
- Perhaps it could be possible to add a policy on the NPS server to deny non-domain devices ,
M.
05-03-2023 07:25 AM
I suspect this is a client behaviour rather than NPS. You might be able so solve it with an exclusion policy on the WLAN.
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#Clientexclusion
05-04-2023 12:30 AM
As @Rich R says, this is Windows bvehaviour and cannot be modified, as Windows tries to use the login credential first and then ask for a new credential. Are you using PEAP only for authentication? If so try using EAP-TLS as NPS should be able to reject all connections without the proper certificate before asking for credentials.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide