NPS certificate authentication, which CA is allowed ?

CS 6 Reputation points
2022-11-03T10:45:51.673+00:00

Hello,

I have set up a NPS server which allows client computers with a certificate signed by our private CA to connect to our wifi.

My question is simple : how does NPS filter "good" and "bad" certificates ? For example, if I have a client certificate signed by a public CA, will NPS allow it to connect since the public root CA is in it's trusted store ?

And how may I configure it to only allow our CA for example ?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,454 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,766 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
525 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,966 Reputation points
    2022-11-03T10:57:11.427+00:00

    Hi,

    If you have deployed your own CA Infrastructure you can deploy the certificates and policies via the Group Policy, also check out this article it defines the process and steps to carry out the configuration for this kind of scenario - nps-manage-cert-requirements. If the Certificate is not configured in the NPS server it will be rejected so external Certificates is not used.

    How NPS integrates with the CA Infra - nps-manage-certificates

    Process on deploying Radius/WIFI clients - nps-radius-clients-configure

    Hope this helps.
    JS

    ==
    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. CS 6 Reputation points
    2022-11-03T11:02:35.113+00:00

    It's already working.

    At no point I configured which CA certificates the NPS is supposed to accept.

    0 comments No comments

  3. Limitless Technology 44,071 Reputation points
    2022-11-08T09:36:17.997+00:00

    Hello there,

    In simple words, NPS uses an Active Directory Domain Services (AD DS) domain or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts.

    NPS allows you to centrally configure and manage network access authentication, authorization, and accounting with the following features explained in this article https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

    ----------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  4. CS 6 Reputation points
    2022-11-09T14:53:40.877+00:00

    Don't bother, I found my answer elsewhere since nobody was trying to read what I wrote before answering...