We have separate wireless SSID pointing to NPS servers on separate domains. They presently handle both user auth (BYOD) and machine auth (official win laptops) requests. We would like to bring this into one SSID for wireless efficiency.
In a test environment, I have added a NPS proxy - and I'm successful in forwarding the user authentication without issue.
Connection Request Policy #1 condition Condition = User Name value = ^domain1\\ match "domain1\samaccountname"
Connection Request Policy #2 condition Condition = User Name value = ^domain2\\ match "domain2\samaccountname"
- or value = ^domain1\\|@domain1\.org$ match "domain1\samaccountname" -or- "samaccountname@domain1.org"
I need a Policy #3 @ 4 to detect any machine auth request and forward to the appropriate domain NPS.
Question: Can you proxy machine auth?
- Microsoft Docs - Connection Request Policies states "The Machine Identity attribute group contains the Machine Identity attribute. With this attribute, you can specify the method with which clients are identified in
the policy. - This might suggest you can?
- however, there isn't a CRP condition for machine name, just user name, which might suggest you can't.
It looks like the request passes the identity of "host/hostname.domain1.org" - I see this in the log entries. I've tried to make a pattern match for the user name condition for this string without success. Microsoft Docs "Using Pattern-Matching
Syntax in NPS" is confusing, in ways contradictory, and examples I'm using have some syntax that don't appear to be in the document (like | ).