Zone Director and NPS/Radius for Admin authentication

  • 1
  • Question
  • Updated 6 months ago
I am trying to find documentation on how to properly configure Windows(2016) Server with AD/NPS/Radius to authenticate administrators on our ZD (and eventually SZ) controllers.  We are NOT looking to authenticate WiFi users.

Are there any special attributes we need to add?  Assuming Service-Type:Login and removing any Framed statements(PPP) Anything else?  
Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes

Posted 7 months ago

  • 1
Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes
Update: I've found that the authentication appears to succeed on NPS, but the ZD1200 controller doesn't seem to think so
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
ok i got that if you want to delete it
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
Dave Bauman, you do ideally need an internal AD CA that issues certificates to your  NPS servers and probably your workstations and DCs too.  and the CA is in Trusted Root Certificate Authority on the connecting workstations ( which an AD CA Cert is automatically added to by AD to all domain joined workstations.)

to issue to workstations... 
GPO Computer Config > Policies >Windows Settings> Security Settings > Public Key Policies/Automatic Certificate Request Settings >  Automatic Certificate Request > Computer... 
Photo of Dave Bauman

Dave Bauman

  • 10 Posts
  • 0 Reply Likes
We don't really use AD for workstations or at all at this time.  We have a lot of gear in the field and are moving away from a single admin login/password as it has become unmanageable.  The only purpose for AD/Radius at this time is to authenticate our admins in the field.
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
fair enough i do use 802.1X for BYOD but the devices complain about the cert and windows PCs wont even connect unless you put the Root ADCA in the trusted root or use a publicly trusted cert (but not a wildcard) but then it complains about the name miss match... but it does work.... just a bit clunky on first connect.
Photo of Gordon Taylor

Gordon Taylor

  • 15 Posts
  • 1 Reply Like
thats my byod radius setup... not perfect but does work i don't think the vendor specific bit isnt needed i think that was me trying to use one NPS server for both computer auth and byod user auth in the end i split them
(Edited)
Photo of Brian Powers

Brian Powers

  • 17 Posts
  • 9 Reply Likes
Dave,

You're trying to actually log into the ZD/SZ, yes?  If you have it all configured and you're getting the proper accept message within your NPS logs, are logging in with your full AD address (email basically)?  We log in to a vSZ via our AD/NPS/RADIUS but the vSZ only support PAP/CHAP and we had to make some adjustments to our NPS policy and even then we still have to use the full account name (<username>@<site.abc>).


(Edited)