Most of the set up for 802.1x authentication of Wifi clients for Meraki APs using Microsoft NPS RADIUS is pretty straight forward. There are numerous guides on the web such as Meraki's own:
https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise
One thing that isn't well documented is how to make Windows 7 clients actually work. The problem is actually not Meraki related, but due to the RADIUS server not having enrolled a certificate for RAS/IAS use in the domain certificate store and is only seen when you have an AD CA configured. The RADIUS server delivers a certificate which Windows 7 will reject *even if it has been told to ignore server certificate validity* in the SSID config.
The solution is to open the Certificate Template MMC snap-in on the AD CA server system, make a copy of the RAS/IAS template and make sure enrolment and auto-enrolment is enable in it's permissions for 'RAS and IIS Servers'. This will result in the RADIUS server enrolling a new certificate which will be used when RADIUS clients connect - this certificate is properly formed and will work for Windows 7. You can check that this has worked by looking in the Issued Certificates list in the CA MMC plug-in on the AD CA Server - there should be a certificate for the RADIUS server using the template you created above.
Once you do this Windows 7 should start to connect successfully.
No comments:
Post a Comment