Hi everyone, not sure if this is the right place to post this, but I've made a search for similar questions on this sub and seen a couple similar ones asked in the past, so hopefully this fits in the scope of this sub.
So I've been trying to implement Wifi using certificates at work.
Current setup: I've set up a SubCA with certificate templates to be autoenrolled from for both Users and Computers (this works, and I get certificates in both the User/Personal store and Local Computer/Personal store). I've set up NPS on one of the DC with the required policies. I've configured a GPO that configures the wifi profile on the test workstation (Windows 10 Pro 1809).
In summary, this is the current setup:
- Windows Server 2016 DC (AD and NPS)
- Windows Server 2016 SubCA
- Unifi APs
- Windows 10 Pro 1809
What currently works:
- With Authentication mode set to "User authentication": I can correctly connect using the User certificate once I'm logged in the test workstation.
- With Authentication mode set to "Computer authentication": I can correct connect using the Computer certificate at the logon screen. If I then login the test workstation, I do not lose connection.
What this tells me is that both ways of authentication are correctly set up (correct me if I'm wrong in assuming so).
The goal: Have the PC boot up, connect to the Wifi using the Computer certificate to apply GPOs and be able to query AD for user logon. Upon user logon, re-authenticate using the User certificate.
The problem: If I set the authentication mode to "User or Computer authentication", I cannot connect using the Computer Certificate at the logon screen and get an error message that reads "Can't connect because you need a certificate to sign in. Contact your IT support person.".
If I then logon using (cached) user credentials, it will allow me to connect using the User certificate as expected.
Looking at the logs in Event Viewer (WLAN-AutoConfig), I can see the reason why it fails, but cannot understand why it fails:"EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer."
Seeing as how I can successfully connect to the wifi network using my Computer certificate if I set the authentication mode to "Computer Authentication" instead of "User or Computer Authentication", why would it not find the required certificate? I feel as if it's trying to fetch a User Certificate even if there are no logged users. Is this possible?
What would be difference between the single "User Authentication" and "Computer Authentication" modes as opposed to using "User or Computer Authentication" that could make it behave this way?
Any help would be greatly appreciated!
Edit: formatting
No comments:
Post a Comment