Hello, questions: With MSCHAPv2 and NPS or IAS, can you allow both certain domain machines to authenticate with their machine credentials and non domain devices (PC's, Macbooks, iPhones…) to authenticate with user credentials to connect to a wireless access point? Is there a problem if a domain machine authenticates to the wireless network with its credentials and later a domain user that isn't in the user group that is we're using with NPS or IAS logs on? background: We have some home grade routers (dlink DIR-655) that we let people connect their personal devices to for internet access. Right now we are using just a WPA2 key. We aren't currently running a RADIUS server but we have servers with 2003 and with 2008 that we can use. We are buying some Windows 7 laptops this summer that will be members of the domain and would like them to connect to our domain over wifi. I belive that our firewall (fortigate) supports dynamic firewall policies based on info sent from a RADIUS server. I would like to have a group of users in AD that are allowed to connect their personal devices to the wifi network using their user creditials to authenticate. I would also like to have these domain laptops connect to the same access point with their machine credentials. I don't have any hands on experience with RADIUS, NPS, or MSCHAPv2 so if you have any words of wisdom, I'd appreciate it. Does this sound doable or am I looking at buying more enterprise level AP's? Thanks in advance!

Hi Customer, Windows 2008 NPS wireless support three authentications: SMART CARD, EAP-TLS, PEAP-MS-CHAP v2. You could use PEAP-MS-CHAP v2 for domain user credentials authentication, EAP-TLS for non-domain device certificate authentication. Both two authentications need to create TLS encryption tunnel first via certificate, it is not just authenticate credentials like MSCHAPv2. For the AP, you just need to inquire your vendor about your requirement. For the server side, please refer to below articles. Wireless Networking http://technet.microsoft.com/en-us/network/bb530679 Checklist: Configure NPS for Secure Wireless Access http://technet.microsoft.com/en-us/library/cc771696.aspx 802.1X Authenticated Wireless Access http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspxRegards, Rick Tan

Rick, Thanks for the reply! I'd rather not have to deploy certificates to the wireless clients if possible. SMARTCARDs aren't a good answer because many of the wireless clients don't support them. With PEAP-MS-CHAP v2 I know that I'll need a certificate on the NPS server signed by a CA. I don't need to deploy any certificates to the wireless clients, do I? Can I use PEAP-MS-CHAP v2 for authenticating both the domain devices and the non domain devices?

Hi Customer, With PEAP-MS-CHAP v2 I know that I'll need a certificate on the NPS server signed by a CA. I don't need to deploy any certificates to the wireless clients, do I? Yes, NPS server need a certificate and client need trusted root CA for NPS certificate. If clients join domain before enterprise CA installed, trusted root CA already installed on client automatically. If you just install new enterprise CA, clients need to import trusted root CA or logon domain via cable once. PEAP with EAP-MS-CHAP v2 http://technet.microsoft.com/en-us/library/cc754179.aspx Can I use PEAP-MS-CHAP v2 for authenticating both the domain devices and the non domain devices? Yes, you could use PEAP-MS-CHAP v2 for non domain device, but it's not recommend. First, you need to import trusted root CA. Then, you need to create AD account for each device. It need to identify each device instead of use only one user account. Next, you need to change NPS setting, create rule to change user to domain\user to authenticate with AD account. Or setup 802.1x supported clients not to "automatically use my Windows logon name and password".These clients will be prompted to enter domain credentials. If you use EAP-TLS authentication, you just need to install certificate via web CA. The certificate name installed is same as device name. Regards, Rick Tan

Hi Customer, With PEAP-MS-CHAP v2 I know that I'll need a certificate on the NPS server signed by a CA. I don't need to deploy any certificates to the wireless clients, do I? Yes, NPS server need a certificate and client need trusted root CA for NPS certificate. If clients join domain before enterprise CA installed, trusted root CA already installed on client automatically. If you just install new enterprise CA, clients need to import trusted root CA or logon domain via cable once. PEAP with EAP-MS-CHAP v2 http://technet.microsoft.com/en-us/library/cc754179.aspx Can I use PEAP-MS-CHAP v2 for authenticating both the domain devices and the non domain devices? Yes, you could use PEAP-MS-CHAP v2 for non domain device, but it's not recommend. First, you need to import trusted root CA. Then, you need to create AD account for each device. It need to identify each device instead of use only one user account. Next, you need to change NPS setting, create rule to change user to domain\user to authenticate with AD account. Due to this, these account password couldn't reset by users.It is not safety like Mac book user can't change logon password. If you use EAP-TLS authentication, you just need to install certificate via web CA. The certificate name installed is same as device name. Mac book user could use their own logon credential to protect their data. Regards, Rick Tan