NPS unable to Authenticate AAD Windows 10 Devices (no DJ++ / Hybrid) for Wireless Network (IEEE 801.X) access

Harshal Charde 31 Reputation points

Here’s the technical Situation and a fare ask:

  • A Wireless Access Point is configured to use Windows NPS as a RADIUS Server for supporting Wireless Network (IEEE 801.X) authentication.
  • The AAD Joint / Intune MDM Enrolled devices are Configured to receive Intune Configuration Profiles which Configures the Devices with Internal PKI User Certs and Device Certs. (Through Intune NDES Connector) - There is no issue here.
  • The AAD Joint / Intune MDM Enrolled devices are also Configured to receive the Wi-Fi Profile in the Device and User Context. - This is also fine, no issues here.
  • The RADIUS Auth works and connects to Wi-Fi when the User is logged into W10, this works because the NPS Server is aware of the User Identity and trusts the User Cert that is being used for PEAP TLS Auth. - No issues here as well.
  • Here's the issue: The Device fails to authenticate at CTRL ALT DEL Screen as it tries to use the Device Cert and Devices identity to authenticate with the NPS. Now because the Device is not present in the AD, NPS fails to authenticate that W10 Device.

If the same is tried on a DJ++ / Hybrid AAD PC, this works as expected.

A possible Solution to this is to have a AAD DS instance, which has the Devices as an identity, and have the NPS Server AAD DS join and then use that NPS Server as a Radius Server. This way, both the User Identity and the Device Identity will be present in the AAD DS - The downside of this is, We need to have Site to Site VPN with Azure, if that goes down, the entire company won't be able to connect to the Wi-Fi.

What I need to know is:

  1. Is there any workaround?
  2. If MS have any plan to make this work?
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,390 questions
{count} votes

7 answers

Sort by: Most helpful
  1. Sebastian Cerazy 306 Reputation points

    Just create dummy AD object, give it correct host/device_name.domain.local in Service Principal Name, add it to group that is used in NPS access policy

    0 comments No comments