Solved: Re: Radius Authentication | Check on certificate and users

FrancescodeRosa · ‎10-21-2024

Hi everyone.

Recently, I’ve been running some tests on my NPS server for RADIUS authentication with my Meraki access points.

My goal is to authenticate via RADIUS only computers with a certificate issued by my CA and users who belong to a specific domain group.

Right now, the certificate authentication is working but i can't find a way to add a check on the domain groups.

Do you have any tips?

Thank you

Philip D'Ath · ‎10-22-2024

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate. You need a product like Cisco ISE to do that.

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.

View solution in original post

Philip D'Ath · ‎10-21-2024

Your NPS policy will need to match "Domain Computers", and whatever group the users are in.

You'll need to configure group policy to do Computer and User authentication.

You'll need to configure group policy to issue certificates both to the computers and the users.

Brash · ‎10-21-2024

I could be wrong but I think when you authenticate using PEAP/EAP-TLS with machine certificates, you can't perform user/group based checks as that information isn't passed onto the RADIUS server.

You can probably do it with user certificates though.

Philip D'Ath · ‎10-21-2024

Windows machines that join AD have a machine account. When you use machine based certificate authentication, they present that certificate in the same way that a user does.

NPS then extracts the username name from that certificate (weather it be user or machine), and checks that it is allowed access.

FrancescodeRosa · ‎10-22-2024

So, the suggestion is to create a template for a certificate for the user as well and perform the verification on both certificates? Correct?

Philip D'Ath · ‎10-22-2024

Correct. You should have both a computer and a user certificate template.

FrancescodeRosa · ‎10-22-2024

Ok, but I have a doubt.
Where do I specify that my NPS server must verify both certificates and not just one? Within the configuration, I don’t see a way to select more than one certificate."

Philip D'Ath · ‎10-22-2024

NPS doesn't have a capability to say that a computer certifcate must be authenticated first and then a user certificate. You need a product like Cisco ISE to do that.

But group policy lets you configure the WiFi settings on your devices, and in group policy you can say that devices must authenticate as a computer first (prior to user login), and then as a user when they log in.