Using NPS under alternative domain

Question

Hi,

We have an Active Directory ending in .local, let's call it contoso.local. We have a self-signed/custom CA within our domain which we use for issuing certificates under contoso.local. Our NPS server currently performs RADIUS authentication for our Wi-Fi clients. For Wi-Fi clients that don't trust our contoso.local self-signed CA (most of them), the clients must ignore the untrusted certificate warning. This is obviously not ideal, and with Android 11 it's no longer possible to ignore/bypass untrusted wifi certificates.

Because we have a contoso.local domain, we're unable to get a publically trusted certificate issued to us. We do however have a public domain, constoso.com, for which we have a publically trusted certificate for on our website among other things. Our AD users also have contoso.com as their primary UPN suffix. Is it possible to configure NPS to use contoso.com to prove it's identity instead of contoso.local, or do I need to look at using something like FreeRADIUS?

At the moment, it seems the certificate that's used for RADIUS authentication is for dc01.contoso.local. I'm basically asking if I can specify a custom domain/hostname so when clients connect to our Wi-Fi they're getting a certificate for say dc01.contoso.com instead, which is publically trusted.

Cheers

Answer 1

Hello @PeachTea ,

Have you tried to assign manually the certificate in the NPS settings?

NPS Console > Policies > Network Policy. Choose your policy for wireless and then on the "Constraints" tab > Authentication Methods > EAP Types > Edit > Choose the new certificate

Best regards,

Answer 2

Hello @PeachTea

You can Manage Certificates Used with NPS , the below link will help you out

https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-certificates

If that is no helpful you can also try Creating an Offline Certificate Request in Windows Server.