2

I have many Ubiquiti Unifi APs connected to a Windows Server 2012 NPS radius server.

I configured security policies to let domain users connect to the local network.

I'm having some trouble with Windows 7 clients. I get a message Impossible to connect.

In C:\Windows\System32\LogFiles, I see the Access-Request packet and a 11 packet that seems to be Access-Challenge. I did not see any event log entry about a rejected connection.

I tried to manually configure the wireless connection with this tutorial but had no luck:

Unifi - Windows 7 - manual

With non-windows devices (like mobiles, tablets, mac computers) the radius connection works perfectly!

How can I get the Windows 7 clients to work as well?

slayernoah
  • 1,570
  • 2
  • 12
  • 19
Tobia
  • 1,210
  • 8
  • 37
  • 73

1 Answers1

2

I just did this exact thing, but I used Windows Server 2008R2 as the RADIUS server.

The guide that you linked to looks good, actually, it just needs to match your settings on the NPS/RADIUS server. By default Windows 7 computers will try to authenticate with the computer's domain password when they first power on, and then with the user name/password once you have logged in. By default, Windows 7 will also try to verify that the certificate presented by the RADIUS server is trusted. The guide you linked to shows you how to force the Windows 7 client to authenticate with the user information only. You should make sure this matches your actual NPS policy.

Here is what I did for my Unifi install:

  1. We have a domain PKI, so I generated a domain-trusted certificate for the RADIUS server. If you use a self-signed certificate, you should use GPO to deploy it to the Trusted Root Certification Authorities on the client devices.
  2. I set the RADIUS Connection Policy, authentication method as follows: EAP-MSCHAPv2.
  3. I created 2 network policies to match 2 SSIDs: Domain Computers, and Domain Users. I then used the "Called Station ID" RADIUS attribute to set up appropriate conditions: Machine Group: Domain\Domain Computers for the "Computers" SSID, and User Group: Domain\Wireless Users for the "Users" SSID.
  4. I then deployed the proper settings using GPO Group Policy Preferences to all of our domain-joined laptops.

By the way you listed a very minimal error message, but if you look in the Windows Security event log, you should be able to get much more detailed information about where the RADIUS authentication is failing.

The most likely error sources will be:

  • Improper or untrusted certificate
  • Windows is attempting to use the wrong password--machine vs user password--on a domain-joined device.
  • You have set up the authentication method differently on the RADIUS server than on the client.

The Unifi AP just passes on the RADIUS authentication, by the way: that won't be part of the equation at all. Just look at the RADIUS server and the client device.

Quinten
  • 1,076
  • 1
  • 11
  • 25