NPS certificate authentication, which CA is allowed ?

Question

Hello,

I have set up a NPS server which allows client computers with a certificate signed by our private CA to connect to our wifi.

My question is simple : how does NPS filter "good" and "bad" certificates ? For example, if I have a client certificate signed by a public CA, will NPS allow it to connect since the public root CA is in it's trusted store ?

And how may I configure it to only allow our CA for example ?

Answer 1

Hi,

If you have deployed your own CA Infrastructure you can deploy the certificates and policies via the Group Policy, also check out this article it defines the process and steps to carry out the configuration for this kind of scenario - nps-manage-cert-requirements. If the Certificate is not configured in the NPS server it will be rejected so external Certificates is not used.

How NPS integrates with the CA Infra - nps-manage-certificates

Process on deploying Radius/WIFI clients - nps-radius-clients-configure

Hope this helps.
JS

==
Please Accept the answer if the information helped you. This will help us and others in the community as well.

Answer 2

It's already working.

At no point I configured which CA certificates the NPS is supposed to accept.

Answer 3

Hello there,

In simple words, NPS uses an Active Directory Domain Services (AD DS) domain or the local Security Accounts Manager (SAM) user accounts database to authenticate user credentials for connection attempts.

NPS allows you to centrally configure and manage network access authentication, authorization, and accounting with the following features explained in this article https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-top

----------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 4

Don't bother, I found my answer elsewhere since nobody was trying to read what I wrote before answering...