Dynamic Vlan Assignment Microsoft Nps Radius

Managed to resolve this, I don't really understand the certificates on RADIUS to be honest, I am going to do some digging and learning on this, because I really don't feel like I know enough.I had to go into NPS:Policies Network Policies Double Click policy name Constraints tab Auth Methods Select EAP/PEAP and click Edit I changed the 'Certificate Issues to' dropdown and tried different ones. I am now using the cert with CA-1 on the end because the server itself is a root CA.

1. Dynamic Vlan Assignment

Dynamic Vlan Assignment

All seems to be working now, even on Windows 7.Sorry this isn't the most informative, but I thought I would put my solution just in case anyone else has similar issues with similar knowledge with RADIUS as me.Thanks for the comments though everyone:). There are multiple pieces to this puzzle.

I did this many years ago. You still need 2 separate VLANs, because while NPS can specify which VLAN/WLAN that a device gets put onto, there is no mechanism to prevent a user with domain credentials on the network from access your servers. The only way to do that is 'firewall' them onto a separate VLAN and put security rules in place on the network to prevent traffic from that 'guest' VLAN from accessing the main network.To authenticate to the main network, you can setup so that only 'domain computers' can authenticate to that, which prevents users with valid user credentials from getting on. I also came to the same conclusion and removed the need for both.I set up the policy to only authenticate by Domain Computers, and it won't work.Based on the IAS logs, it shows the user credentials getting passed to RADIUS. I'm assuming this is because when nobody is logged in, the machine provides it's own credentials via 802.1x, and as soon as the user logs in, it passes the user credentials instead.Now the question is. How do you properly configure machine based authentication while the user is logged in?Certificates?

Justin,I just did exactly that. Set up PEAP- EAP types set to Smart Card or other certificate, select DC1.mydomain.local certificate (not domain-DC1-CA cert) and conditions are wireless + windows groups: domain users.Now the issue I get in IAS logs are:Authentication failed. The certificate is malformed and Extensible Authentication Protocol (EAP) cannot locate credential information in the certificate.I did some googling and found some cisco switch users set the MTU Framing to 1344 on the policy to avoid packets being dropped in the transport device chain, but it did not work.I did a full troubleshoot session with the certificates I had on the machine by setting it to authenticate with just secured passwords EAP-MSCHAPv2 and then disabling MSCHAPv2 after wiring the machine and requesting a new Computer certificate. After attempting to connect with just EAP-TLS with computer certificates, it fails.I feel like I'm missing something obvious here in my implementation of NPS/CA and EAP-TLS.As far as I can tell, the NPS configuration looks sound and perhaps I am configuring the wireless network incorrectly on the win 7 test client.

Hi Friend,Adding to the reply by Victor here are steps to configure the RAS policy for dynamic VLAN assignment.Select New policy and give a name ( DemoPolicy)Select Wireless:Select the user group to map this policy (Manager is a group)Select Grant RAS and click on Edit profileSelect Advanced Tab and select AddSelect Attribute name as either Filterid or 'Vendor specific'.