This is a very useful video - http://blogs.aerohive.com/blog/wifihowtoblog/how-to-configure-microsoft-nps-to-pass-user-profile-attributes-to-an-aerohive-ap
If you are still having issues, please send me an email (firstname.lastname@example.org) and I can send you step by step instructions on how to achieve this.
In addition to that, the two approaches that you can use with the RADIUS attributes returned in the Access-Accept are discussed here: https://community.aerohive.com/aerohive/topics/radius-nps-server-configurations
I watched it and it has some good info and it seems pretty straight forward to authenticate users or groups.
What would be the steps if I just wanted the "Domain Joined" devices to be able to access the SSID with no regard to what user it is?
My thought that this would have to be done pre-login of the user kind of like 802.x on a switch port and wired network.
It looks like I'm going to need step by step:(
- Windows device is powered on.
- The Windows device completes machine (computer) authentication. This is required for various domain processes including the ability for users to change their password upon expiry.
- The Windows device displays the CTRL+ALT+DEL screen.
- The user enters their domain credentials.
- The Windows device completes user authentication.
- The user now has access to the domain.
I'm really confused now. I set it up as Crowley mentined above. I have one condition in my NPS policy that says "Domain Computers". This seems to work when I power up the machine - I look into the event log of the NPS server and it says I was granted access to the server.
What happens next is the problem. As soon as I login with my domain credentials it disconnects me from the wireless. If I look in the NPS event log it says I was denied access because of my user isn't in a group.
Why is it trying to authenticate my user after it already authenticated my machine and gave me access to the network. Is this a Aerohive thing or a windows thing.
If I try to add "Domain Users" in to the policy along with the "Domain Computers" then it denies me with a message saying that I don't have the allow on in the "Dial up Properties" even if it is on.
I had to change the Wireless Properties>Security>advanced properties>802.1x settings>Specify Authenication Mode to "Computer Only" and then it works.
The problem is that you have to be connectd to the SSID before you can adjust and save the properties. Am I missing something here????
The key thing in our school environment is that the user login experience should be the same as when they plug in to the wired network, that is, they boot up, login and go. The additional requirement is to stop the university students in nearby accommodation using our internet bandwidth via wireless.
We grant bona fide guests access with a code-of-the-day when they check-in at reception. This gives them internet-only access.
We currently serve domain users with a hidden SSID, and a password I enter when issuing the laptops. This is a miserable failure because if this connection fails, they reconnect using the guest SSID as the only one visible, and then complain they can't get at our server facilities. It also fails on security grounds. I have detected a few BYODs on the hidden SSID, so the password secret is (unsurpisingly) out!
I am hoping to distribute whatever is necessary to the laptops to connect as domain computers with a GPO, and then deny access to the guest SSID and the current hidden one a bit later on. Does this seem a reasonable approach? There are about 80 wireless laptops, 40 wired desktops and 350 users. There are 18 wireless APs. It's a 2012R2 domain. The chicken-and-egg problem with a GPO can be addressed by using a wired connection for startup configuration.
I have got as far as adding a new SSID to the site policy, with a RADIUS server set as a Windows NSP on one of the domain servers. I have uploaded to one AP330, and got a result from the TEST RADIUS feature of the online manager. I am now playing with the configurations of the NPS and AP, and am groping in the dark!