Radius + AD + Machine auth before user logon

Question

Radius + AD + Machine auth before user logon

Muhammad Umer 1

I have a windows server 2016 and I've configured Active Directory and DNS and Hyper-v on it.
In that physical server, I have created a VM which is another windows server and I made it my DHCP.

Need Solution:
I would like to allow machine joined the SSID without using users credentials, but the AD machine account.

Requirement
The objective is to build an automatic connection to a specific SSID before the user use his credentials.

The behavior I would like to have is :

First check if machine is in AD, if yes, then ok for connection
If Machine is not in AD (mobile users), ask for credentials

Kindly guide step wise procedure to achieve this task

Chian Yan(嚴騫_PSH) 1 Reputation point

2025-05-23T00:40:57.46+00:00

This is easy when you use Microsoft NPS as RADIUS server.
You can add both "Domain Computer" and "Domain Users" to conditions, add both "Microsoft: Smart Card or other certificate" and "Microsoft: Protect EAP (PEAP)" in EAP method, deploy certificates to all domain joined computers and domain users.
Domain joined computers will auth with computer account first by default.
Non domain joined computers can auth with account and password.

3 answers

Your answer

Chian Yan(嚴騫_PSH) 1 Reputation point

2025-05-23T00:40:57.46+00:00

This is easy when you use Microsoft NPS as RADIUS server.
You can add both "Domain Computer" and "Domain Users" to conditions, add both "Microsoft: Smart Card or other certificate" and "Microsoft: Protect EAP (PEAP)" in EAP method, deploy certificates to all domain joined computers and domain users.
Domain joined computers will auth with computer account first by default.
Non domain joined computers can auth with account and password.

Answer 1

Hi ,

As far as I know, there is no native way can achieve your goal. NPS cannot combine user and machine authentication to make a decision.

The similar thread has been discussed before, you could have a look:

Radius + AD + Machine auth before user logon

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Muhammad Umer 1

No worries, if we can use only single authentication (machine) that is also fine.
Could you please share the solution for the Machine Authentication process.

Anonymous

2021-05-26T07:38:39.753+00:00

Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.

Answer 3

Hi ,

We need to use computer certificate to authenticate devices. The following article talking about how to create a computer template and deploy wireless profile with computer authentication to clients, you could have a look:

Wireless 802.1x Authentication Using Network Policy Server

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Radius + AD + Machine auth before user logon

3 answers

Your answer