# Server 2008 R2 RADIUS auth for non domain members



## stokedone (Jul 16, 2010)

I have a Server 2008R2 and Cisco WAP4410n environment. I have configured NPS with the appropriate RADIUS client setup for the WAP4410n. I have configured a Network Access Policy that allows a specific Security Group access via PEAP as the EAS type and EAP-MSCHAP v2 in the properties. We are using a self signed cert from the server. Domain member computers and laptops connect just fine. ​
I also want to be able to allow users (specifically their laptops) that are not on the domain to join the wireless network if they provide relevant domain credentials. The problem with this is that the default wireless network profile settings on a client for first time connection:

The authentication Method default settings for PEAP on the client has the check box "Validate Server Certificate". Which it wont be able to do since it is not a trusted certificate and Windows doesnt prompt to install the cert​
The default setting for the EAP-MSCHAP v2 is to automatically us my Windows logon name and password. Which on a non domain computer is not going to be correct.​
Is there a way to not use the certificate for this authentication?
This isnt a problem for iphone or OSX clients as they both prompt to install the certificate. I am aware that I can manually add the network or walk the user through the creation of this network. But this means having an enduser search for the specific check boxes before connecting. I would like to just have them be prompted for their username and pass.​


----------



## peterh40 (Apr 15, 2007)

Yes, replace the self-signed certificate with a certificate from a recognised and trusted certificate authority.


----------



## stokedone (Jul 16, 2010)

I guess I should mention that we are trying to avoid having to pay for a certificate. The suggested Verisign/Symantec server RADIUS certs are $349 dollars, which is somewhat cost prohibitive.


----------



## peterh40 (Apr 15, 2007)

You could build your own Certificate Authority, then all Domain users will automatically trust that certificate, and it should get round issues with self-signed cert as the systems will have a CA to go to to check that the certificate isn't untrustworthy. 
It is not hard to set up a CA (see http://technet.microsoft.com/en-us/library/cc772393(v=WS.10).aspx ).


----------



## stokedone (Jul 16, 2010)

Peter,

Thanks again for the responses. We currently have our CA already setup. The domain members do not have an issues connecting to the wireless network. The issue we have is that non domain members are not able to connect without our intervention. There is no prompt to download the self signed cert, and there is no prompt to login with domain credentials. Is there a way that anyone knows about to overcome this situation?


----------



## peterh40 (Apr 15, 2007)

You could setup a web page for non-domain users to browse to and offer a link to download the certificate and provide instructions and links to useful pages.


----------



## peonowns (Apr 16, 2012)

You should of got this ability when you purchased your server?.
This is how i do it.

To install the server's security certificate on your remote computer, do the following:


From a computer that is in the Windows SBS network, open a Web browser and type the following address into the address bar: \\SERVER\public\downloads. <li Copy the file *Install Certificate Package.zip* to portable storage media, such as a floppy disk or a USB drive.
Insert the floppy disk or USB drive into the computer that is not joined to the Windows SBS domain and from which you want to access
navigate to the location where you copied *Install Certificate Package.zip*.Right-click *Install Certificate Package.zip*, and then click *Extract All*.
In the *Extract Compressed (Zipped) Folders* dialog box, type a folder location to which you want to extract the files, and then click *Extract*.
Open the folder where the extracted files are located, and then double-click *InstallCertificate*.
Select *Install the certificate on my computer*, and then click *Install*..
Note: You should only download the certificate installer package from a computer that is directly connected to your organization's network. Do not download this package over the Internet

And obviously you don't want to give any joe blogs this ability but i am unclear who it is for .

pEoN.


----------

