Resolved the issue
What permissions are required to allow domain user accounts to access WiFi via NPS 802.1x
Hello everyone,
I'm facing an issue with the configuration of a Network Policy Server (NPS) on our Active Directory server for Radius 802.1x login to our business Wi-Fi network. I could use some help in troubleshooting this problem.
Here's the situation: I've successfully set up the NPS, and it is synchronized with our users and computers. Additionally, we have a connection to the Lancom WLC, which serves as our Wi-Fi controller.
The problem is that while I can connect to the Wi-Fi using our Superuser admin accounts, regular domain accounts are unable to connect. We want to restrict Wi-Fi users from having admin privileges, so this is a crucial issue to resolve.
I've attempted to compare the parameters between the existing superuser security group and the new groups I created, but I haven't been able to identify any differences that could explain the connectivity problem.
If anyone has encountered a similar issue or has knowledge of the parameters that need to be configured to allow 802.1x Wi-Fi access for an Active Directory group, I would greatly appreciate your assistance.
Thank you in advance for your help.
Tom
2 answers
Sort by: Most helpful
-
-
Limitless Technology 44,431 Reputation points
2023-06-07T12:00:42.3633333+00:00 Hello Tom,
Thank you for your question and for reaching out with your question today.
If regular domain accounts are unable to connect to the Wi-Fi network while Superuser admin accounts can, there are a few potential causes to consider:
- Ensure that the regular domain accounts are correctly added to the appropriate Active Directory groups that have been configured for Wi-Fi access. Double-check the group membership and confirm that the users are members of the correct group(s).
- Review the network policy conditions in NPS to ensure that the regular domain accounts meet the specified conditions for Wi-Fi access. Common conditions include group membership, connection request policies, and client vendor attributes.
- Check the authentication method being used for the regular domain accounts. If Superuser admin accounts are using a different authentication method (such as certificate-based authentication), ensure that regular domain accounts are configured to use the same method.
- Verify the RADIUS configuration on the Wi-Fi controller (Lancom WLC) and ensure that it is correctly pointing to the NPS server for authentication. Confirm that the shared secret matches between the Wi-Fi controller and NPS server.
- Monitor the NPS event logs on the server for any error messages or warnings related to the failed authentication attempts by regular domain accounts. The logs may provide insights into the specific issues causing the problem.
- Review the Wi-Fi client settings for regular domain accounts and ensure they are configured correctly. Check the security settings, authentication method, and any required certificates or credentials.
- Ensure that the Wi-Fi clients have proper network connectivity to the Wi-Fi controller and NPS server. Validate that any necessary firewall rules are in place to allow communication between the client, Wi-Fi controller, and NPS server.
- If you are using certificate-based authentication (EAP-TLS), verify that the regular domain accounts have the necessary certificates installed and that the NPS server is configured to accept and validate these certificates.
By thoroughly reviewing these aspects and troubleshooting steps, you should be able to identify the underlying issue preventing regular domain accounts from connecting to the Wi-Fi network and resolve it accordingly.
I’ve used Chat GPT to formulate part of this response. I’ve verified that the solution is accurate before sharing it here with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.
Best regards.