Single NPS server with separate user and computer policies for separate wireless networks?
The subject line probably doesn't make sense so thanks for reading.
Much as been written and discussed that you cannot combine user and computer authentication in a single NPS authentication policy, but that's not what I'm trying to solve.
Has anyone successfully configured a single Windows NPS server to perform authentication for both AD Computers and AD Users (separately, not combined) for wireless?
To go into detail of the two separate wireless networks in our Wi-Fi design, Domain-joined Computers have a specific wireless network which can talk to most of the LAN, i.e., domain controllers, etc. The computer object must be in the AD group named in the policy. When a computer matching the policy requests a connection it is automatically joined to the wireless network.
The other wireless network is for BYOD and has very limited access to the LAN but can reach our high-speed Internet. When attempting to join the network the user is asked for username and password.
Within NPS it does appear we can have multiple policies configured, one for each type, but I've not been able to make it work in practice.
Currently I have one NPS server setup for Computers and an entirely separate NPS for Users. Of course I'd like to have redundancy for both, so that would be four NPS servers.
Unfortunately, our SonicWALL, which acts as a Wireless Access Point controller, only allows two RADIUS servers, so it would be ideal if each of them can do both types of authentication.
If anyone has a link to an example I'd like to see it.
OK, I got it working after writing it all out and checking my work. Can't say exactly where. Note: the RADIUS settings in SonicWALL don't always work as I expected. In the RADIUS server settings under Users, Settings, Authentication, Configure Radius, (make sure you get the format right under advanced), and then "test" the RADIUS server using the connectivity test at least one-time. This is bloody confusing because it may not pass other tests, i.e., authentication, but may still function. And I really hate that the AP's have to be rebooted when you make a VAP object change as I only have one very short window while onsite to test and if it fails revert the change.
Dang I miss AeroHive/Extreme...