Hi and thank you for this tutorial. May I ask if its possible to make a "Timed Connection" for each clients who are connected to the network? I would be nice if it limits them to connect like 1-2 hour(s) a day.
Thank you so much, brother, great content!! . Note: If someone is having issues make sure to also open the inbound firewall port UDP 1812 on your server, and if you have a network firewall also make sure it allows that same traffic from the wireless AP to the Radius Server.
TheAmazeer Yes they can. I haven’t tried with the in-built file explorer. You might have to use a third party app which will allow you to enter the share name, credentials and other settings required to access share.
I have a problem. We would like to allow only domain computers and when the NPS authenticates the computer it need toi asks for username and password, but when we add the group( Domain computers/Users in the same policy the NPS does not allow access. If we create 2 separate policies this one does not ask for password since the domain computer is already authenticated with cert. Any help
Very detailed and excellent video. Dear we have some quires will you please help us out. We have Multiple VLAN's for Multiple SSID's all VLAN's are in different IP pools. So kindly guide us if we define multiple IP scope for multiple SSID's how user can authenticate to their particular specific SSID ? Waiting for your response.
Great video, I can get communication when I’m on the normal net but it doesn’t work on the enterprise net any tips? Also I had to put the router in bridge mode for communication to occur
How would guest connect their macOS when policy is computer based with certificate authentication? How would guest get/request certificate and where to place in macOS.
it was in detailed video, thanks for sharing. what if i just want the laptops that are in domain only be able to connect in that case i think we will set the local computers group instead of users. but if we dont add user groups how the username and password will work to connect???
Excellent Video!!! Thank you so much for making this, I’ve been trying to do this for years and all the videos I follow something doesn’t work. Follows the instructions In this video and now my wifi is using a fully functional radius server. Thanks so much
thank you for sharing this video, how can we create the policy when mobile device user authenticates with ID and password, after admin approval they can get the access. Because when i was created SSID with AD authentication our all employee uses same on mobile devices also and it is not good our security perspective. pls help in this
Create a security group and give that group access to Wi-Fi. End users can log a service request and admins can add them to the security group on the requests basis to give Wi-Fi access.
Azure now have a RADIUS Windows 2016 image available in the marketplace that you can use to authenticate Wireless traffic from your APs azuremarketplace.microsoft.com/en-us/marketplace/apps/cloud-infrastructure-services.radius-2016 There is a pretty good tutorial on setting up RADIUS authentication using Azures new RADIUS server on cloudinfrastructureservices.co.uk/how-to-setup-radius-server-2016-in-azure-for-wireless-authentication/
Hello! I have a problem here. I have windows server 2012 and AD DNS DHCP install than I turn off dhcp on my wireless router, my pc get IP address from my dhcp server but my device can’t get IP address from WiFi! So any help pls thx.
hi it was a nice video. but i would like to know. if user is already part of domain then how to skip putting user/pass while connecting to wifi. it should be automated. any suggestion on it.
Care For You Hi there, just letting you know you can check this video deploying Wi-Fi profile through GPO. You can only deploy this profile to Windows devices. Here is the link th-cam.com/video/QSni2IP0QJM/w-d-xo.html
Hello, I have configured the radius server and it works. On the session I have the button to connect but I also have the possibility of entering another login / mdp how to prevent this? THANKS
Excellent guide! However, I - for whatever reason - cannot get mine to work. It is stuck on "Checking Network Requirements". Event viewer reveals repeated 802.1x authentication restarts. Our DHCP is currently running on our Meraki firewall, with the DNS running on DCs. Any idea what might be the cause?
Hello Jay, Thank you for your video. I'm having issues connecting to the wifi network. Everytime i fill in my credentials it loads and sends me back to where i need to put in the credentials, without giving me an error message. When i test this with the built in authentication tester in my AP it does work... I'm using a Ruckus zoneflex r510.
Brian Boere Hi Brian, Have you triend another client, may be a phone could be a good test? Does the same problem occur on other devices as well? Tester checks the radius server only, which means there is no issue with the radius authentication. Once you hit connect from a client, server should offer a certificate. Let me know if the issue is same accross different devices.
How can we specify which SSID The users from the Network group will be connecting? If I have multiple SSIDs but I do not want users from the Security group1(SSID1) to SSID2
What if my AD CS role wasn’t install in the domain controller but other server? Do I need to request the certificate in the DC but not my server, which got AD CS role? Thank you.
I see mostly tutorials on how to do authentication with a domain user. Is there a tutorial or an easy way to do this with a certificate by itself? I was reading about TLS authentication, which i think would work. We've got several thousand chromebooks, and a new wifi network we're deploying. I don't really want to have to explain to everyone how to log in. I just want it to be seamless.
Thank you. You have to do that if your NPS server is different than the DC. In this case, I did not have to register because of TEST-CERT01 is a DC itself and it has the permission to read the dial-in properties of user accounts during the authorization process.
BROTHER!! You are so awesome!! Your video is great! keep up the work! Perfectly edited, you made sure we dont waste time. I am a person who never comments on any video or likes or subscribes. But I have done all this because your work impressed me. The explanation is clear and precise.
Thanks for this! Quick querry, i have my mx84 act as dhcp server, i am able to authenticate from nps but not getting an IP, appreciate if you can give light on this, thanks!
It would be beneficial to provide concise explanations for the addition of certain roles and features. This way, the audience can better understand the purpose of these steps. Additionally, some users may find it unclear how to establish connections or create another virtual machine linked to the server for testing its functionality. Anyways, thank you for creating this video.
I have configured the radius and NPS services by following the same steps but when try to connect Wi-Fi a error showing "unable to connected" kindly guide how to resolve this problem
@@TekNexSolutions I checked all the steps from the video and reconfigure radius and NPS but the problem not resolve showing same error message when try to login
Hi, We have configured the Radius Server (NPS) for Wi-Fi authentication. However, we are currently experiencing an issue: when an Active Directory user's password expires, the Wi-Fi connection is disconnected. Upon attempting to re-authenticate, the system indicates incorrect credentials. We have enabled the setting to reset the AD user password in the Radius Server Policy, but our attempts to reset the password have been unsuccessful. Could you please assist us in resolving this issue?
man I really appreciate it, I spent hours trying to do it without on my own. I was missing the certificate part, I didn't know it was required. Even though that I have enabled all authentication methods. Thank you very much.
Hey Jay, I'm getting the following message when connecting to the Wi-Fi: If you expect to find [wireless SSID name] in this location, go ahead and connect. Otherwise, it may be a different network with the same name. Do you know how I can remove this warning for my clients? Thank You.
brian b Hi Brian, Disregard my earlier message if you received. I checked this and even in production we get the same message, unless you use group policy to deploy the Wi-Fi profile for users/computers. However, I will look into this further and update you once I found if there is anything we can do without GPO. Of course GPO will only work with domain joined devices only. Jay
Thanks for this demonstration. A research a possibility to have mutiple SSID depending of groups in AD. I think i need multiple radius server on my server (if it's possible) but i'v not yet find a way. If anyone have a idea... thank for it
Thank you for the great tutorials! I am pretty green when it comes to certificates. So it looks like the GPO will automatically renew the certificate. But what about on the domain controller/CA? I assume when those certificates are close to expiring i'll have to manually go in and create/renew the certificate?
Normally you would create a Root CA on a laptop (OR cheap Raspberry PI) and Create a life Intermediate CA instead. The laptop (Raspberry Pi) should be shutdown put into a safe and only be used when renewing that intermediate CA.
Hello thanks for your clear video.. I have a pb. I have installed every thing clean, but I want users to log via WiFi before they open a session on Windows... Clients are not logged with wire, they need to connect to WiFi first to have network, and then authenticate with Windows prompt login screen, which is 2 authentications... So bad idea.. Do you know how to connect to the Windows session through WiFi authentication? Thanks a lot if you have an answer dude 👍👍👍
i follow step by step but does'nt work. i user radius server as server but not dc. In my enviornment, i have dc and member server radius server and unify network.
Great video. Can you please offer advice on how to install a certificate from a trusted CA so that mobile clients are not asked to Trust the CA when connecting?
I am sorry, it seems like I missed this comment. Yes, there is a way. However, you can create Wi-Fi profile and can be managed with any MDM solution. This is a bit complex and a lot is involved in it.
Hello Jay, We are currently moving from on premis to Azure only Cloud but there are still some resources where users need to access locally. Is there are any way I can integrate my Sonicwall TZ400 VPN to Azure AD so that users can use their Azure AD user credentials for logging into VPN? also we want to integrate Sonicwall Wireless Access Point with this VPN so that laptop users can get connected to Wireless Access Points.
pavan kistampally Hi Pavan, I haven’t worked on TZ400 but just check if it has Azure VPN authentication. If not then you can spin up a VM and configure onsite AD to sync with Azure. Then onsite AD can be added to TZ400. It would be interesting to know what is solution you deploy. Update here if you can.
Hi. Good video, I have a problem specifying the type of installation of the CA, the CA enterprise mode appears disabled and I would like to know why ?. Thanks for the video best explained
@@TekNexSolutions Hello, at minute 17:56 you are shown two options: Enterprise CA and Standalone CA, both active, but in my case only Standalone CA shows active and Enterprise CA is disabled, that shows me when configuring in Windows Server 2012 R2 and in Windows Server 2016 and I do not know what the problem is, maybe the problem is that the operating system is virtualized ???, use VMWare 14.
I just figured out what is your issue here. Type of virtualization is not a problem. When I created fresh Windows Server 2016 > added role Active Directory Certificate Services > Tried to configure Certificate Authority as an Enterprise CA. It is greyed out same as yours. Reason: My server is not domain joined or it is not a Domain Controller itself. Solution 1: You need a domain in your network > domain join your server > Enterprise CA option will be available Solution 2: Follow exactly same steps in the above video (Create a DC and test the setup), you will not have any issues at all
I've a question. How can I create username and password for every distinct user? I mean I created a User following your video, but I can connect to internet using this username and password from every device. I want to create distinct username and password for one user only.
Amazing Video with Smooth Process. Why td-w8980.test.local device level setup is missing in this video ? this device is windows server or a windows client machine ?
On which minute did you found that? The accesspoint is named “TD-W8980”. The Windows Server is named “TEST-CERT1” and the windows 10 client is named “Win10”. test.local is the local domain, so for example “TD-W8980.test.local” is the accesspoint inside the domain and “Win10.test.local” is the Windows 10 Client inside the domain. Have a nice weekend and greetings KeineChancee
If my radius server is not a domain controller, how do I need to create the certificate? Do I create it on the domain controller, export it, and import it on the radius server? Or do I create a certificate locally on the radius server (the only cert option is 'Computer)'?
Here is a workaround they put in place techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125.
Hello! I have configured it as in your video, but it fails to connect to Enterprise WiFi. I entered the credentials and press connect and then it switches back to enter the credentials again? I tried to connect on my PC/laptop/Android device, but it fails on every device. How to fix this issue? Thanks.
Hi Luba, I would suggest you to go over the video again and check if everything is done according to the video. It seems like you might have missed one or two things. Double check the things like network policy, permissions for AD groups etc.
Hey, Thanks for tutorial. Can I authenticate W-Fi(with certificate integrated) on a win 10 client present in Workgroup? Or is it a pre-requisite for the client to join a Domain?
Configuration requires either a user or machine authentication. User auth does not require the computer to be domain joined, but machine authentication needs the device to be domain joined.
@@TekNexSolutions thanks. I did everything in the tutorial but when i m trying to connect with my phone, the connection screen asks for a CA certificate , there are no options so I choose none, but it just hangs and fails to connect.. any help is appreciated please. Thanks
Hi, this is a great video. I appreciate your content. Question though, is there any way to avoid the prompting of the certificate notice during the authentication process?
Yes, there is. If you install the root cert on the machines. However, on BYO devices you won't be able to install the root cert since you don't manage those devices.
so now, how do you do this with windows domain account..? and once you connect once, having to put in username/password in the wifi connection, after authenticated, do you ever have to do it again?
Hi Jay, I have some question about the certificate. For user authentication like this, does the certificate have to be installed on the client side or only on the server side?
how can i use the same setup but without the users having to enter username and password? Basically only have provided them the certificate to authenticate.
So is the 'windows server 2016' (the thing on the right in your connection diagram in the beginning of the video) a physical machine connected via Ethernet or can you have this as a virtual one in a virtual box? fyi im a total noob
The way it is implemented it acts as a physical machine. However, it is a virtual machine in Hyper-V connected to a physical switch through External Network Adapter. Wi-Fi modem is connected to the same physical switch.
how can i add another computer to connect the wifi? my laptop can connect coz i followed your steps but i tried add my mate Pc's and didnt work, he cant connect to wifi, i added him to 'Test Computers' and then to group 'Wlan Computers', should i generate another cartificate or something like that?
Thank you for the tutorial. It's working fine with Dlink Ap and windiws srv 2012 standard. But the issue is not working for non domain pc.... Any help with that please?
Bagga caticoti abdou It should work for the non-domain pc’s. Check the following: 1. Have you tried the same user which you used for the domain joined pc? User has to be in the right group. 2. Try connecting any phone, your phone should connect to the wireless and it will get certificate from your CA. 3. If phone connects fine then re-install Wi-Fi driver on the non-domain join pc. Let me know how did you go.
Bagga caticoti abdou Also, use fully qualified domain name on the non-domain joined devices. For instance, if your domain is “test.com” and user is “user” then FQDN will be user@domain.com.
Hi Jay Maan Yes it is working fine with the smartphones but not for the laptops, I jave tried with two different laptops with win 10 installed but it did not work. I will try reinstalling the driver and check again. Thank you
Hello Finally it is working, 1- we have to Register NPS server on Active Directory 2-I did not use the wizard to create the policy, I have create it manually and specify the condition as "NAS port Type" and select "IEEE802.11 + Wireless Other" You don't have to use FQDN just type the username and the password Thank you again Jay
Hi, this is a really great video. I was thinking of applying this a similar concept using username and password only for a College for Students to access resources with their personal machines, and not the domain computers. What would I have to change to make this happen. I'd prefer to not have to use certificates for the students' laptops.
Big Ric Than you. For Radius authentication you supposed to have a CA in action. It will be user auth for students BYODs and computer auth for domain joined devices.
@@TekNexSolutions Thanks for replying, but let me ask this, is there some issue(s) with Windows 10 clients requiring a certificate and causes problems to connect to these types of public Wi-Fi with RADIUS auth? I can see Android devices not having this issue, I'm asking as I have a college Wi-Fi network to deploy in the fairly distant future and smooth student connectivity is an area of contention for me.
@@hennessy6996 Android, IOS, macOS and Win 10 Client uses the Windows Radius Authentication in a similar fashion. As demonstrated in the video, when you connect the client and it prompts to trust the Certificate from your CA. Once you do that and connection works as it supposed to be. This method is widely deployed in different production environments that I know of personally, we are talking anywhere between 1500 to 60,000 end users. Have you faced any issues?
@@TekNexSolutions About 9 months ago I tried this and had problems with the Win10 clients requesting credentials repeatedly without ever connecting, I'm picking this up again as I'll have to deploy soon. I'm even thinking of dynamic VLANS with some Aruba Networks switces for wired clients as the existing IT team is very inexperienced. I'll be labbing it out over the next 2 weeks.
Hi bro thanks for your explanation i have a small doubt is it possible to create NPS for wireless connection with two different servers i mean AD is in one server and Radius is in another server is it possible to configure like this
@@TekNexSolutions VERY VERY THANKS FOR YOUR REPLY IS THERE ANY DOCUMENT FOR CONFIGURE LIKE THIS BECAUSE OF IAM NOT AWARE ON THE SERVER SIDE AND ALSO IT IS MY FIRST DEPLOYMENT .
@@guruprasadpinnam1771 First thing you do is configure a server, and then domain join. Once on the domain, then add roles. Let me check if I can find any documentation.
@@TekNexSolutions thanks, i will test tonight with my unifi ha ha, one more question, it will be auto connect after reboot the laptop? coz i try not use certificate after reboot must manually reconnect to wifi
![How RADIUS Authentication Works [Step-by-Step Simplified]](http://i.ytimg.com/vi/LLrb3em-_po/mqdefault.jpg)
![Securing RADIUS with EAP-TLS [Windows Server 2019]](/img/n.gif)
Checkout next part of this series here th-cam.com/video/QSni2IP0QJM/w-d-xo.html . Wi-Fi network settings deployment through GPO.
Thanks let me go through it.
ДЖЗ*33'333×2@= ПЕТРИЬІК**?°¿|©
Hi and thank you for this tutorial. May I ask if its possible to make a "Timed Connection" for each clients who are connected to the network? I would be nice if it limits them to connect like 1-2 hour(s) a day.
Thank you for the very super helpful and detailed guide, I used this today and it was most helpful.
Thank you for this great and direct guide towards RADIUS
very well done bro. useful information with easy explanation and examples
Once a user has logged in using a an android phone, can they still share the internet connection using the QR_code on android?
Thank you so much this wonderful video..
Thanks for this content, it is very helpful.
Glad it was helpful!
Very cool and informative. Do ADCS and NPS need to be on the same server as DC?
Hi bro, beautiful video, are you using vmware workstation or bare metal?
Thank you. This is on Hyper-V.
@@TekNexSolutions Hi bro. Thank you very much for your reply. Did you have any radius server videos with wired.
Somethings are incorrect. Like the thumbprint mentioned is different than the one showed... But that is because it is stitched together I think.
Thank you so much, brother, great content!! . Note: If someone is having issues make sure to also open the inbound firewall port UDP 1812 on your server, and if you have a network firewall also make sure it allows that same traffic from the wireless AP to the Radius Server.
Thank you for this precision, it helped me a lot.
Thanks dude.. Can Android clients Access their home folder via a file explorer ?
TheAmazeer Yes they can. I haven’t tried with the in-built file explorer. You might have to use a third party app which will allow you to enter the share name, credentials and other settings required to access share.
I have a problem. We would like to allow only domain computers and when the NPS authenticates the computer it need toi asks for username and password, but when we add the group( Domain computers/Users in the same policy the NPS does not allow access. If we create 2 separate policies this one does not ask for password since the domain computer is already authenticated with cert. Any help
Great detailed guide!!
you are awesome bro ... i am getting an error "Unable to join wifi-sid". Can you help what should I have to checked. I am using server 2022
Very detailed and excellent video.
Dear we have some quires will you please help us out. We have Multiple VLAN's for Multiple SSID's all VLAN's are in different IP pools. So kindly guide us if we define multiple IP scope for multiple SSID's how user can authenticate to their particular specific SSID ? Waiting for your response.
Hi Tahir,
This would be a sophisticated set up. Give me some time to think.
Jay
Excellent Video. Pls i need to know. If I have multiple Domain Controllers does requesting certificate on one DC replicate to the others?
How to check existing configuration 802.11x ? Cause i have problem 1 group cannot connect to wifi
Great video, I can get communication when I’m on the normal net but it doesn’t work on the enterprise net any tips? Also I had to put the router in bridge mode for communication to occur
Thank u sir
How would guest connect their macOS when policy is computer based with certificate authentication? How would guest get/request certificate and where to place in macOS.
If I change WPA password into radius password now I not able to connecting what I should do
il nostro prof. ci costringe a vedere sto video
Is it a good thing?
it was in detailed video, thanks for sharing. what if i just want the laptops that are in domain only be able to connect in that case i think we will set the local computers group instead of users. but if we dont add user groups how the username and password will work to connect???
You are welcome.
Here is the video for computer based authentication th-cam.com/video/QSni2IP0QJM/w-d-xo.html
You are amazing!!
Do you know why Android device connecting the WiFi ask weird question beside the username and password. Question about certificate
Thanks. It is the OS, and it doesn’t pick the security requirements from the Wi-Fi.
Excellent Video!!! Thank you so much for making this, I’ve been trying to do this for years and all the videos I follow something doesn’t work. Follows the instructions In this video and now my wifi is using a fully functional radius server. Thanks so much
Perspective Thanks. I am glad it helped.
Amazing stuff!!
Its greats. Tks
The Radius server use user and password to sincronize with LDAP?
Excellent video. Thanks for posting.
Eldrinarr you’re welcome.
thank you for sharing this video, how can we create the policy when mobile device user authenticates with ID and password, after admin approval they can get the access. Because when i was created SSID with AD authentication our all employee uses same on mobile devices also and it is not good our security perspective. pls help in this
Create a security group and give that group access to Wi-Fi. End users can log a service request and admins can add them to the security group on the requests basis to give Wi-Fi access.
Hello I am not able to connect when i enter user name and password. Please help me.. I followed all the steps.
Azure now have a RADIUS Windows 2016 image available in the marketplace that you can use to authenticate Wireless traffic from your APs azuremarketplace.microsoft.com/en-us/marketplace/apps/cloud-infrastructure-services.radius-2016
There is a pretty good tutorial on setting up RADIUS authentication using Azures new RADIUS server on cloudinfrastructureservices.co.uk/how-to-setup-radius-server-2016-in-azure-for-wireless-authentication/
Hello! I have a problem here. I have windows server 2012 and AD DNS DHCP install than I turn off dhcp on my wireless router, my pc get IP address from my dhcp server but my device can’t get IP address from WiFi! So any help pls thx.
hi it was a nice video.
but i would like to know. if user is already part of domain then how to skip putting user/pass while connecting to wifi. it should be automated.
any suggestion on it.
Thank you.
Yes it can be done with the help of GPO. Nothing planned yet, may be I record another video for this.
@@TekNexSolutions oh great, if you could create quick video on this GPO will be helpful
Care For You Hi there, just letting you know you can check this video deploying Wi-Fi profile through GPO. You can only deploy this profile to Windows devices. Here is the link th-cam.com/video/QSni2IP0QJM/w-d-xo.html
Hi, Please could you help me with using Microsoft NPS and setting up a test OU for machine-based wired and wireless authentication?
created an SSID on our cisco interface which points the wireless to the correct authentication server and perhaps the same on our switches.
Hello, I have configured the radius server and it works. On the session I have the button to connect but I also have the possibility of entering another login / mdp how to prevent this? THANKS
Excellent guide! However, I - for whatever reason - cannot get mine to work. It is stuck on "Checking Network Requirements". Event viewer reveals repeated 802.1x authentication restarts. Our DHCP is currently running on our Meraki firewall, with the DNS running on DCs. Any idea what might be the cause?
Hello Jay,
Thank you for your video.
I'm having issues connecting to the wifi network. Everytime i fill in my credentials it loads and sends me back to where i need to put in the credentials, without giving me an error message. When i test this with the built in authentication tester in my AP it does work... I'm using a Ruckus zoneflex r510.
Brian Boere Hi Brian,
Have you triend another client, may be a phone could be a good test? Does the same problem occur on other devices as well? Tester checks the radius server only, which means there is no issue with the radius authentication. Once you hit connect from a client, server should offer a certificate. Let me know if the issue is same accross different devices.
Jay Mann, I've also tried this on my phone. The same problem occurs.
How can we specify which SSID The users from the Network group will be connecting? If I have multiple SSIDs but I do not want users from the Security group1(SSID1) to SSID2
Have you configured NAT rule in your physical machine to enable connection for Hyper-V?
Using external virtual switch in Hyper-V which is connected to a physical switch.
What if my AD CS role wasn’t install in the domain controller but other server? Do I need to request the certificate in the DC but not my server, which got AD CS role? Thank you.
Your "hech" scratches my brain.
I see mostly tutorials on how to do authentication with a domain user. Is there a tutorial or an easy way to do this with a certificate by itself? I was reading about TLS authentication, which i think would work. We've got several thousand chromebooks, and a new wifi network we're deploying. I don't really want to have to explain to everyone how to log in. I just want it to be seamless.
darthcircuit I can see where you coming from. In your case, you have to build a Wi-Fi profile and enroll each device to it.
That sounds awful. I guess we'll just stick with PSK for now lol. Thanks :)
Thank you for the video, I tested this with a ubiquiti Wifi and it worked
Did you have a mix of Win7 and Win10 clients? Did you have to install any certs on any of the end clients for this to work?
Hi,
Great video, did you register the NPS in Active Directory also?
Thank you.
You have to do that if your NPS server is different than the DC. In this case, I did not have to register because of TEST-CERT01 is a DC itself and it has the permission to read the dial-in properties of user accounts during the authorization process.
BROTHER!! You are so awesome!! Your video is great! keep up the work! Perfectly edited, you made sure we dont waste time. I am a person who never comments on any video or likes or subscribes. But I have done all this because your work impressed me. The explanation is clear and precise.
Thanks for the amazing feedback and I am glad you enjoyed the video.
Thanks for this! Quick querry, i have my mx84 act as dhcp server, i am able to authenticate from nps but not getting an IP, appreciate if you can give light on this, thanks!
what should i do if i already have DHCP from my firewall
I cannot get this to work with my Fortigate device at all.
It would be beneficial to provide concise explanations for the addition of certain roles and features. This way, the audience can better understand the purpose of these steps. Additionally, some users may find it unclear how to establish connections or create another virtual machine linked to the server for testing its functionality. Anyways, thank you for creating this video.
I have configured the radius and NPS services by following the same steps but when try to connect Wi-Fi a error showing "unable to connected" kindly guide how to resolve this problem
Check the steps again, must have missed something simple. The guide hasn’t changed for years.
@@TekNexSolutions I checked all the steps from the video and reconfigure radius and NPS but the problem not resolve showing same error message when try to login
Hi..
If possible I need to get some help...
Setup made successfully but not able to connect Wi-Fi...
Hi,
We have configured the Radius Server (NPS) for Wi-Fi authentication. However, we are currently experiencing an issue: when an Active Directory user's password expires, the Wi-Fi connection is disconnected. Upon attempting to re-authenticate, the system indicates incorrect credentials.
We have enabled the setting to reset the AD user password in the Radius Server Policy, but our attempts to reset the password have been unsuccessful.
Could you please assist us in resolving this issue?
Are you using a cloud hosted VM as you radius server? like with Azure Domain Name Services?
man I really appreciate it, I spent hours trying to do it without on my own. I was missing the certificate part, I didn't know it was required. Even though that I have enabled all authentication methods. Thank you very much.
Hey Jay,
I'm getting the following message when connecting to the Wi-Fi: If you expect to find [wireless SSID name] in this location, go ahead and connect. Otherwise, it may be a different network with the same name.
Do you know how I can remove this warning for my clients?
Thank You.
brian b Hi Brian,
Disregard my earlier message if you received.
I checked this and even in production we get the same message, unless you use group policy to deploy the Wi-Fi profile for users/computers. However, I will look into this further and update you once I found if there is anything we can do without GPO. Of course GPO will only work with domain joined devices only.
Jay
@@TekNexSolutions I'd really like an answer to this question if you have one. Thanks.
Well done demonstration, Jay Mann. Any plans on an upcoming video on SSO 802.1X GPO for WS2016/W10?
Thanks. Yes, it can be done but have not planned anything about it yet.
Here is the link th-cam.com/video/QSni2IP0QJM/w-d-xo.html
Thanks for this demonstration. A research a possibility to have mutiple SSID depending of groups in AD. I think i need multiple radius server on my server (if it's possible) but i'v not yet find a way. If anyone have a idea... thank for it
If user changed password still it able trust and connect WiFi based on first connection.
User need to re-authenticate with the new password.
i was able to get it to ask for user and password, but it will not authenitcate to get wifi access :(
Finally got this to work, I knew it was a server config error, but this explained it very well, bravo!
Guys what computer should i use?
Great video, a very nice explanation of the components to achieve the goal, thanks, you've helped a lot today!
what about certificate subject name
Thank you for the great tutorials! I am pretty green when it comes to certificates. So it looks like the GPO will automatically renew the certificate. But what about on the domain controller/CA? I assume when those certificates are close to expiring i'll have to manually go in and create/renew the certificate?
Normally you would create a Root CA on a laptop (OR cheap Raspberry PI) and Create a life Intermediate CA instead. The laptop (Raspberry Pi) should be shutdown put into a safe and only be used when renewing that intermediate CA.
Hello thanks for your clear video.. I have a pb. I have installed every thing clean, but I want users to log via WiFi before they open a session on Windows... Clients are not logged with wire, they need to connect to WiFi first to have network, and then authenticate with Windows prompt login screen, which is 2 authentications... So bad idea.. Do you know how to connect to the Windows session through WiFi authentication? Thanks a lot if you have an answer dude 👍👍👍
You have to create a gpo. Allow user login only when DC is available. DC will only be available when device is connected to the network.
very nice ... Thanks
i follow step by step but does'nt work. i user radius server as server but not dc. In my enviornment, i have dc and member server radius server and unify network.
Must have missed something. I have added Unifi with same setup and works fine.
Great video.
Can you please offer advice on how to install a certificate from a trusted CA so that mobile clients are not asked to Trust the CA when connecting?
I am sorry, it seems like I missed this comment. Yes, there is a way. However, you can create Wi-Fi profile and can be managed with any MDM solution. This is a bit complex and a lot is involved in it.
Hello Jay, We are currently moving from on premis to Azure only Cloud but there are still some resources where users need to access locally. Is there are any way I can integrate my Sonicwall TZ400 VPN to Azure AD so that users can use their Azure AD user credentials for logging into VPN? also we want to integrate Sonicwall Wireless Access Point with this VPN so that laptop users can get connected to Wireless Access Points.
pavan kistampally Hi Pavan, I haven’t worked on TZ400 but just check if it has Azure VPN authentication. If not then you can spin up a VM and configure onsite AD to sync with Azure. Then onsite AD can be added to TZ400. It would be interesting to know what is solution you deploy. Update here if you can.
How about for wired connection authentication with Windows Server?
Hi.
Good video, I have a problem specifying the type of installation of the CA, the CA enterprise mode appears disabled and I would like to know why ?.
Thanks for the video best explained
Jose Luis Llampa Colque Strange issue. I never had that problem. Are you installing CA on a DC(like I did) or it is a different server?
@@TekNexSolutions Hello, at minute 17:56 you are shown two options: Enterprise CA and Standalone CA, both active, but in my case only Standalone CA shows active and Enterprise CA is disabled, that shows me when configuring in Windows Server 2012 R2 and in Windows Server 2016 and I do not know what the problem is, maybe the problem is that the operating system is virtualized ???, use VMWare 14.
I just figured out what is your issue here. Type of virtualization is not a problem. When I created fresh Windows Server 2016 > added role Active Directory Certificate Services > Tried to configure Certificate Authority as an Enterprise CA. It is greyed out same as yours.
Reason: My server is not domain joined or it is not a Domain Controller itself.
Solution 1: You need a domain in your network > domain join your server > Enterprise CA option will be available
Solution 2: Follow exactly same steps in the above video (Create a DC and test the setup), you will not have any issues at all
Thanks for the great content and it was really helpful as I was looking to learn more about servers
Nicely explained 👌
Can you please make a video on Wired authentication?
Good job
I've a question.
How can I create username and password for every distinct user? I mean I created a User following your video, but I can connect to internet using this username and password from every device. I want to create distinct username and password for one user only.
Sorry, it took me a while to respond to your comment. Have you solved your issue?
As always...an excellent video. Thanks very much.
ninja2807 you are most welcome
Amazing Video with Smooth Process.
Why td-w8980.test.local device level setup is missing in this video ? this device is windows server or a windows client machine ?
Its an accesspoint :)
@@keinechancee5361 Device: rs-w8980.test.local is a windows 10 or windows server device ?
@jay
On which minute did you found that?
The accesspoint is named “TD-W8980”.
The Windows Server is named “TEST-CERT1”
and the windows 10 client is named “Win10”.
test.local is the local domain, so for example “TD-W8980.test.local” is the accesspoint inside the domain and “Win10.test.local” is the Windows 10 Client inside the domain.
Have a nice weekend and greetings
KeineChancee
If my radius server is not a domain controller, how do I need to create the certificate? Do I create it on the domain controller, export it, and import it on the radius server? Or do I create a certificate locally on the radius server (the only cert option is 'Computer)'?
Here is a workaround they put in place techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125.
Hello! I have configured it as in your video, but it fails to connect to Enterprise WiFi. I entered the credentials and press connect and then it switches back to enter the credentials again? I tried to connect on my PC/laptop/Android device, but it fails on every device. How to fix this issue? Thanks.
Hi Luba,
I would suggest you to go over the video again and check if everything is done according to the video. It seems like you might have missed one or two things. Double check the things like network policy, permissions for AD groups etc.
Can we authenticate users with radius coming as visitor and connect our wifi ?
Hey, Thanks for tutorial. Can I authenticate W-Fi(with certificate integrated) on a win 10 client present in Workgroup?
Or is it a pre-requisite for the client to join a Domain?
Configuration requires either a user or machine authentication. User auth does not require the computer to be domain joined, but machine authentication needs the device to be domain joined.
i thought this method only allowed known machines to connect . how come you could connect your phone to it?
This is a user based policy not a computer based.
@@TekNexSolutions thanks. I did everything in the tutorial but when i m trying to connect with my phone, the connection screen asks for a CA certificate , there are no options so I choose none, but it just hangs and fails to connect.. any help is appreciated please. Thanks
Hi, this is a great video. I appreciate your content.
Question though, is there any way to avoid the prompting of the certificate notice during the authentication process?
Yes, there is. If you install the root cert on the machines. However, on BYO devices you won't be able to install the root cert since you don't manage those devices.
so now, how do you do this with windows domain account..? and once you connect once, having to put in username/password in the wifi connection, after authenticated, do you ever have to do it again?
Device from where you connect should remember the credentials for that specific SSID. So you do not have to provide credentials everytime you connect.
Hi Jay, I have some question about the certificate.
For user authentication like this, does the certificate have to be installed on the client side or only on the server side?
Server will offer the client a cert upon successful authentication. Only server side will be sufficient.
how can i use the same setup but without the users having to enter username and password? Basically only have provided them the certificate to authenticate.
What type of end users and devices we are looking at?
Can do this with SHA-256 Certificate?
I have just tested the setup with SHA-256 and it works fine.
Thanks for this video, helped me a lot. Yes I ended up using SHA-256 an it worked fine.
So is the 'windows server 2016' (the thing on the right in your connection diagram in the beginning of the video) a physical machine connected via Ethernet or can you have this as a virtual one in a virtual box? fyi im a total noob
The way it is implemented it acts as a physical machine. However, it is a virtual machine in Hyper-V connected to a physical switch through External Network Adapter. Wi-Fi modem is connected to the same physical switch.
Same thing can be achieved through Virtual Box as well with understanding of how the virtual network adapters work.
Thanks, first clarification on that on the internet.
What if your DHCP server is elsewhere ?
how can i add another computer to connect the wifi? my laptop can connect coz i followed your steps but i tried add my mate Pc's and didnt work, he cant connect to wifi, i added him to 'Test Computers' and then to group 'Wlan Computers', should i generate another cartificate or something like that?
Which OS your mate's PC has?
@@TekNexSolutions i tied on diffrent laptop and it works fine, so i guess it was problem with the software on something like that, thanks
Can you guide me, how to monitor users?
Could you elaborate what is your intention?
Thank you for the tutorial. It's working fine with Dlink Ap and windiws srv 2012 standard. But the issue is not working for non domain pc.... Any help with that please?
Bagga caticoti abdou It should work for the non-domain pc’s. Check the following:
1. Have you tried the same user which you used for the domain joined pc? User has to be in the right group.
2. Try connecting any phone, your phone should connect to the wireless and it will get certificate from your CA.
3. If phone connects fine then re-install Wi-Fi driver on the non-domain join pc.
Let me know how did you go.
Bagga caticoti abdou Also, use fully qualified domain name on the non-domain joined devices. For instance, if your domain is “test.com” and user is “user” then FQDN will be user@domain.com.
Hi Jay Maan
Yes it is working fine with the smartphones but not for the laptops, I jave tried with two different laptops with win 10 installed but it did not work.
I will try reinstalling the driver and check again.
Thank you
Hello Finally it is working,
1- we have to Register NPS server on Active Directory
2-I did not use the wizard to create the policy, I have create it manually and specify the condition as "NAS port Type" and select "IEEE802.11 + Wireless Other"
You don't have to use FQDN just type the username and the password
Thank you again Jay
Bagga caticoti abdou sounds good. I am happy that it is working now.
Nice video .. Just a quick question, how do you set up similarly for Guest Users? Please post me some steps, appreciate your help. Thanks
do you have a guide on how to apply captive portal using this?
Thanks for Sharing
Hi, this is a really great video. I was thinking of applying this a similar concept using username and password only for a College for Students to access resources with their personal machines, and not the domain computers. What would I have to change to make this happen. I'd prefer to not have to use certificates for the students' laptops.
Big Ric Than you. For Radius authentication you supposed to have a CA in action.
It will be user auth for students BYODs and computer auth for domain joined devices.
@@TekNexSolutions Thanks for replying, but let me ask this, is there some issue(s) with Windows 10 clients requiring a certificate and causes problems to connect to these types of public Wi-Fi with RADIUS auth? I can see Android devices not having this issue, I'm asking as I have a college Wi-Fi network to deploy in the fairly distant future and smooth student connectivity is an area of contention for me.
@@hennessy6996 Android, IOS, macOS and Win 10 Client uses the Windows Radius Authentication in a similar fashion. As demonstrated in the video, when you connect the client and it prompts to trust the Certificate from your CA. Once you do that and connection works as it supposed to be. This method is widely deployed in different production environments that I know of personally, we are talking anywhere between 1500 to 60,000 end users.
Have you faced any issues?
@@TekNexSolutions About 9 months ago I tried this and had problems with the Win10 clients requesting credentials repeatedly without ever connecting, I'm picking this up again as I'll have to deploy soon. I'm even thinking of dynamic VLANS with some Aruba Networks switces for wired clients as the existing IT team is very inexperienced. I'll be labbing it out over the next 2 weeks.
@@hennessy6996 I don't see any issues moving forward with this. However, try it in your lab and it should work.
Hi bro thanks for your explanation i have a small doubt is it possible to create NPS for wireless connection with two different servers i mean AD is in one server and Radius is in another server is it possible to configure like this
Absolutely it is. Make second server a domain member and add NPS roles to it.
@@TekNexSolutions VERY VERY THANKS FOR YOUR REPLY IS THERE ANY DOCUMENT FOR CONFIGURE LIKE THIS BECAUSE OF IAM NOT AWARE ON THE SERVER SIDE AND ALSO IT IS MY FIRST DEPLOYMENT .
@@guruprasadpinnam1771 First thing you do is configure a server, and then domain join.
Once on the domain, then add roles.
Let me check if I can find any documentation.
@@TekNexSolutions THANKS FOR YOUR RPLY .I HAVE CREATED A DOMAIN AND ADDED ANOTHER SERVER IN TO THE DOMAIN BUT I DONT KNOW HOW TO ADD ROLES
Do you already have Active Directory Certificate Services server in your environment?
for mac and linux can use username and password we created on AD right?
Yes, it will work.
@@TekNexSolutions thanks, i will test tonight with my unifi ha ha, one more question, it will be auto connect after reboot the laptop? coz i try not use certificate after reboot must manually reconnect to wifi
It should remember the network.