[Solved] NPS VLAN assignment only when BOTH certificate & computer group membership

Sebastian Cerazy 306 Reputation points
2020-10-04T06:44:12.57+00:00

I am doing something that is definitely not supported.
Allowing AAD ONLY joined devices (Intune managed) to connect to internal WiFi using local CA issued certificates

It is described here: https://social.technet.microsoft.com/Forums/lync/en-US/7c6dcb5c-7e24-4a10-89d0-3f8fcec55877/ndes-scep-certificate-to-connect-to-enterprise-wifi-nps-radius?forum=microsoftintuneprod

So machines that know nothing about local AD, do get 802.1x authenticated to WiFi by Windows Server NPS.

That works (almost) as much as I need it to.

But I want to assigned machines/users to different VLANs, based on group membership

So the question I had: https://social.technet.microsoft.com/Forums/lync/en-US/b8383316-d3fa-4f87-833a-889d5387b775/nps-vlan-only-when-both-certificate-amp-computer-group-membership?forum=winserverNAP

Can I combine 2 conditions: certificate existence AND machine group membership?

Thanks

Seb

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,910 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sebastian Cerazy 306 Reputation points
    2020-11-05T21:21:30.443+00:00

    Works perfectly fine!

    "Computer ONLY authentication (no user involved)" & "machine has CA certificate" DOES work in Server 2012 R2 NPS

    And machines are not even AD joined (they are only AAD joined & managed by Intune with dummy AD Computer objects)

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Gloria Gu 3,896 Reputation points
    2020-10-05T06:26:11.94+00:00

    Hi,

    Thank you for posting in Q&A!

    In regards to your issue, this is a similar case also want "NPS assigned machines/users to different VLANs, based on group membership".
    nps-assign-vlans-based-on-users-groups-8021x-wired
    He has opened a case with micorsoft support and find out the following conclusion:

    "with NPS it is not possible to do an automatic re-authentication based on the user if the computer is already authenticated. For the re-authentication the NIC needs to be brought down and up again and that is only possible if you make a task scheduled item for this or to script this at user logon."

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Sebastian Cerazy 306 Reputation points
    2020-10-09T06:59:37.593+00:00

    Above is not really what I want

    I need NPS to drop the machine to correct VLAN only if BOTH are fulfilled for Computer ONLY authentication (no user involved)

    • machine has CA certificate
      AND
    • machine is in a specific AD Computer group

    If machine has ONLY certificate but no group membership, it gets dropped to a different VLAN

    0 comments No comments

  3. Gloria Gu 3,896 Reputation points
    2020-10-16T03:21:39.18+00:00

    @Sebastian Cerazy Hi,

    Sorry for the late reply!

    Based on my research and discussion with my colleagues, as stated in the microsoft offical document,
    nps-np-configure

    "you can configure network policy to instruct the access servers to place members of specific Active Directory groups on specific VLANs."

    (1) So the "machine is in a specific AD Computer group" can be achieved,
    (2) however, unfortunately "Computer ONLY authentication (no user involved)"&"machine has CA certificate" can not be achieved in microsoft NPS server.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.