Don't bother, I found my answer elsewhere since nobody was trying to read what I wrote before answering...
NPS certificate authentication, which CA is allowed ?
Hello,
I have set up a NPS server which allows client computers with a certificate signed by our private CA to connect to our wifi.
My question is simple : how does NPS filter "good" and "bad" certificates ? For example, if I have a client certificate signed by a public CA, will NPS allow it to connect since the public root CA is in it's trusted store ?
And how may I configure it to only allow our CA for example ?
4 answers
Sort by: Newest
-
-
Limitless Technology 43,961 Reputation points
2022-11-08T09:36:17.997+00:00 Hello there,
In simple words, NPS uses an Active Directory Domain Services (AD DS) domain or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts.
NPS allows you to centrally configure and manage network access authentication, authorization, and accounting with the following features explained in this article https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top
----------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
-
CS 6 Reputation points
2022-11-03T11:02:35.113+00:00 It's already working.
At no point I configured which CA certificates the NPS is supposed to accept.
-
JimmySalian-2011 41,921 Reputation points
2022-11-03T10:57:11.427+00:00 Hi,
If you have deployed your own CA Infrastructure you can deploy the certificates and policies via the Group Policy, also check out this article it defines the process and steps to carry out the configuration for this kind of scenario - nps-manage-cert-requirements. If the Certificate is not configured in the NPS server it will be rejected so external Certificates is not used.
How NPS integrates with the CA Infra - nps-manage-certificates
Process on deploying Radius/WIFI clients - nps-radius-clients-configure
Hope this helps.
JS==
Please Accept the answer if the information helped you. This will help us and others in the community as well.