This was posted in the 2012 R2 GPO forum, but I was advised to move it here as more relevant.
[all the below is running on WS2012 R2 & Windows 10 clients]
Hi,
I have an internal PKI with clients autoenrolled - all working fine.
I have an RADIUS/NPS Server setup for authenticating users on a wireless network - all working fine.
The NPS server has two Network Policies; one for 'Domain Computers' using EAP type "Microsoft: Smart card or other certificate". The other policy is for 'Domain Users' using EAP type "PEAP".
This works well. From a Windows 10 client, which is domain-joined, I can search for wireless networks, find the SSID I have configured (Unifi APs, WPA2, with RADIUS pointing to the above NPS server), click connect and get authenticated without being prompted for anything.
On a non-domain joined client, I can search for the same wireless network, connect, get prompted for username/password and authenticate with any domain user credentials (I also have to accept to trust the certificate presented by the NPS/RADIUS server).
My NPS policy for domain computers uses "Microsoft: Smart card or other certificate" but my NPS policy for domain users uses "PEAP" so I'm not sure what to put in this box to cover both situation?
Or should I simply create two profiles on the previous screen?
I have tried putting in the RADIUS FQDN under "connect to these servers", tried toggling "verify the servers identity", tried toggling the ticked CAs under "Trusted root CA". Basically everything.
When trying to connect from the domain-joined client, I am getting either "Can't connect because you need a certificate to sign in" or "can't connect because the sign-in requirements for your device and the network aren't compatible".
If I change the overall network authentication to PEAP, then on the Advanced page, I see options which look like they cover both user and computer connections, but I just get the same errors as mentioned above.
Help greatly appreciated.