NPS unable to Authenticate AAD Windows 10 Devices (no DJ++ / Hybrid) for Wireless Network (IEEE 801.X) access

Harshal Charde 31 Reputation points
2020-08-03T22:33:11.463+00:00

Here’s the technical Situation and a fare ask:

  • A Wireless Access Point is configured to use Windows NPS as a RADIUS Server for supporting Wireless Network (IEEE 801.X) authentication.
  • The AAD Joint / Intune MDM Enrolled devices are Configured to receive Intune Configuration Profiles which Configures the Devices with Internal PKI User Certs and Device Certs. (Through Intune NDES Connector) - There is no issue here.
  • The AAD Joint / Intune MDM Enrolled devices are also Configured to receive the Wi-Fi Profile in the Device and User Context. - This is also fine, no issues here.
  • The RADIUS Auth works and connects to Wi-Fi when the User is logged into W10, this works because the NPS Server is aware of the User Identity and trusts the User Cert that is being used for PEAP TLS Auth. - No issues here as well.
  • Here's the issue: The Device fails to authenticate at CTRL ALT DEL Screen as it tries to use the Device Cert and Devices identity to authenticate with the NPS. Now because the Device is not present in the AD, NPS fails to authenticate that W10 Device.

If the same is tried on a DJ++ / Hybrid AAD PC, this works as expected.

A possible Solution to this is to have a AAD DS instance, which has the Devices as an identity, and have the NPS Server AAD DS join and then use that NPS Server as a Radius Server. This way, both the User Identity and the Device Identity will be present in the AAD DS - The downside of this is, We need to have Site to Site VPN with Azure, if that goes down, the entire company won't be able to connect to the Wi-Fi.

What I need to know is:

  1. Is there any workaround?
  2. If MS have any plan to make this work?
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,716 questions
{count} votes

7 answers

Sort by: Most helpful
  1. Steve Prentice 11 Reputation points
    2020-09-03T11:34:54.593+00:00

    Good write up of a problem I've had for a long time... NPS is basically on prem only, so totally useless for device authentication of AAD devices. :-(
    We have AAD to AD writeback for devices enabled via sync, and AAD objects are stored in AD, but NPS doesn't see them as they're not full computer objects, which sucks.
    The only workaround I've seen talked about (but not tired, yet) is to create a "dummy" AD device object to keep NPS happy, but that again sucks.

    2 people found this answer helpful.
    0 comments No comments

  2. Steven van Beek 6 Reputation points
    2020-10-02T07:56:16.057+00:00

    @alfredo-revilla-msft Is there any update yet?

    1 person found this answer helpful.
    0 comments No comments

  3. James Heathcote 1 Reputation point
    2021-03-04T15:30:24.027+00:00

    We have exactly the same issue, I had successfully installed and configured NDES in the past with Intune to work with NPS and CA (Not sure we have enough acroynms here) but as you say, AAD devices don't have machine accounts and NPS doesn't see the AD Connect writebacks as computer accounts.

    I am struggling to get this to work most with AAD registered Surface Hubs 2S most.

    0 comments No comments

  4. Paul Mathanarajah 1 Reputation point
    2021-03-22T16:27:24.267+00:00

    I'm looking into this as an alternative to our Windows NPS servers.

    0 comments No comments

  5. Andrew Blackburn 1 Reputation point
    2021-05-06T18:56:53.213+00:00

    If anyone is interested in instructions to workaround this issue, I've written a blog post. Here is the ink:

    https://sysmansquad.com/2021/04/27/working-around-nps-limitations-for-aadj-windows-devices/