I need to distinguish my WiFi users, by using custom Extended Key Usage OID`s to put them in different Wireless Networks. For that, I have configured my NPS like described in http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/a0bfc02e-4176-4add-9691-e4d118275511, but it´s not working as expected. Authentications will be successful depending on the order of the certificates in the user certificate store on the client.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Any ideas on this?
regards
fkessler