I am trying to find documentation on how to properly configure Windows(2016) Server with AD/NPS/Radius to authenticate administrators on our ZD (and eventually SZ) controllers. We are NOT looking to authenticate WiFi users.
Are there any special attributes we need to add? Assuming Service-Type:Login and removing any Framed statements(PPP) Anything else?
Dave Bauman, you do ideally need an internal AD CA that issues certificates to your NPS servers and probably your workstations and DCs too. and the CA is in Trusted Root Certificate Authority on the connecting workstations ( which an AD CA Cert is automatically added to by AD to all domain joined workstations.)
to issue to workstations... GPO Computer Config > Policies >Windows Settings> Security Settings > Public Key Policies/Automatic Certificate
Request Settings > Automatic Certificate Request > Computer...
We don't really use AD for workstations or at all at this time. We have a lot of gear in the field and are moving away from a single admin login/password as it has become unmanageable. The only purpose for AD/Radius at this time is to authenticate our admins in the field.
fair enough i do use 802.1X for BYOD but the devices complain about the cert and windows PCs wont even connect unless you put the Root ADCA in the trusted root or use a publicly trusted cert (but not a wildcard) but then it complains about the name miss match... but it does work.... just a bit clunky on first connect.
thats my byod radius setup... not perfect but does work i don't think the vendor specific bit isnt needed i think that was me trying to use one NPS server for both computer auth and byod user auth in the end i split them