Share via

Can NPS authenticate non-Domain computers via EAP-TLS?

Alex Wu 0 Reputation points
2025-03-31T10:11:48.86+00:00

Hi Everyone!

I tried to implement NPS to authenticate non-Domain joined computers by using computer certificate to access Cisco Wi-Fi, but failed.

My environment:

  1. Windows 2019 DC
  2. Windows 2019 CA + NPS
  3. Cisco WL3504 + AP1832I
  4. Windows 10 + Windows 11 non-Domain Clients

What I have tested

  1. Manually request a computer certificate from CA
  2. NPS Request policy (no domain computers selected), realm name replaced ^host/(.*) with DomainName$1% -> non-Domain clients can match request policy
  3. NPS Network policy -> no matter how I set the policy, NPS always goes to AD to match the computer account
  4. Then, I created a dummy computer account, even use the same thumbprint as the certificate of computer I've requested.
  5. Use the same computer certificate (non-Domain joined), I can use Cisco ISE to authenticate the certificate successfully.

My question:

  1. Does NPS really support EAP-TLS (computer certificate) for non-Domain joined computers? Is AD joined a must?(I found many documents online about NPS supporting certificate authentication for non-domain computers.)
Windows Server Identity and access Certificates and public key infrastructure (PKI)
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 32,416 Reputation points Microsoft External Staff
    2025-04-02T02:22:29.7533333+00:00

    Hello Alex Wu,

    Thank you for posting in Q&A forum.

    Yes, NPS can support EAP-TLS for non-domain joined computers using computer certificates. But there are a few things to consider and set up to get this working smoothly:

    1. The client devices must have a valid computer certificate issued by a trusted Certificate Authority (CA). The NPS server must trust the CA that issued the client certificates. This typically involves installing the CA's root certificate on the NPS server.
    2. You need to configure NPS to accept EAP-TLS authentication. This involves setting up the appropriate network policies and connection request policies. Ensure that the EAP type (EAP-TLS) is supported by both the client devices and the NPS policy.
    3. For non-domain joined devices, you can use certificate mapping to associate the certificate with a user or computer account in Active Directory. This is not mandatory but can help in managing access control. Alternatively, you can configure NPS to accept certificates based on specific attributes, such as the Subject Alternative Name (SAN) value.
    4. Create policies in NPS that match the conditions for non-domain joined devices. This might include specifying the SSID for Wi-Fi connections or other relevant parameters. Ensure that the policies are correctly set up to handle the authentication requests from non-domain joined devices.
    5. If you encounter issues, check the NPS logs for detailed error messages. Common issues include mismatched certificates, incorrect policy configurations, or missing CA certificates.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.