We have setup a working 802.1x/Radius wired environment with MS NPS/NAP. We added a third party certificate for the NPS server to get rid of certificate warnings for non-domain clients.
We had a certificate for our mailserver since earlier (mailserver.domain.com). I do not know much about PKI but we bought something like a “subcertificate” that still is issued to mailserver.domain.com but has the FQDN:s of our NPS-servers as SAN:s.
We have imported and configured the use of the certificate. The first thing that happened was that clients got a warning when connecting:
The server “<Authentication server>” presented a valid certificate issued by “<CA name>”, but “<CA name>” is not configured as a valid trust anchor for this profile. Further, the server “<Authentication server>” is not configured as a valid NPS server to connect to this profile.
We corrected this error following the KB: http://support.microsoft.com/kb/2518158 and adding checking the CA in the NPS authentication configuration.
Now the part regarding “valid trust anchor” of the error message has disappeared and is now looking like this:
http://www.chicagotech.net/images/ssl34.gif (with radius server: mailhost.domain.com).
Viewing hour mailsever/NPS certificate, the certificate chain appears to be perfectly in order (we have imported intermediate certificates etc.).
The last part of the error message:
The server “mailhost.domain.com” is not configured as a valid NPS server to connect to for this profile.
And that is correct, since that is our mailserver.
We have tried to register our mailserver as nps server (which it isn't) (netsh ras add registeredserver) and also issuing a NPS certificate to the mailserver without luck.
Any suggestions?
