Hey everyone! I've been struggling for weeks to figure out why my Network Policy Server (NPS) isn't mapping connection requests from Entra joined devices to user accounts properly. Just to give you some context:
- My existing domain-joined devices authenticate without issues using device certificates from the Certificate Authority (CA), and everything works smoothly.
- I'm currently on a cloud migration project and trying to replicate this setup for Entra joined devices using SCEP/NDES.
- I tried using device certificates with dummy AD objects, but that approach hit the same wall.
- After some research, I read that user certificates might work better for non-domain joined devices, so here I am!
Here's a breakdown of my current setup:
1. **NPS Policy**: I have certain conditions and constraints, which I've linked to screenshots for clarity. One thing I'm stuck on is why there are multiple certificates in the dropdown – how do I choose the right one?
2. **SCEP Profile**: The SCEP certificate is being issued to the device, and I see the certificate details in the user personal store.
3. **Trusted Root Certificate**: This has been deployed through Intune to my test device.
4. **SCEP Certificate Details**: The EKUs and SANs are configured as needed.
5. **WiFi Profile**: I created this manually and will push it via Intune once everything works.
Despite all of this, when I try to connect to the SSID, I'm hit with an access denial on the NPS server, and the log mentions a user credentials mismatch due to the account info not being recognized. Any insights or suggestions on troubleshooting this would be greatly appreciated, as I might need to consider alternative RADIUS solutions if I can't resolve this soon!
2 Answers
Your setup seems solid with the conditional access and VPN! However, if it continues to give you problems, considering an alternative RADIUS solution might be your best bet.
It sounds like your issue might stem from NPS not supporting Entra joined devices unless you enable device writeback. Even with that, my experience was that it wasn't very reliable. We spent months with Microsoft trying to get it to work but ended up switching to FreeRADIUS mainly for cost reasons as we’re moving toward pre-shared keys for WiFi instead of dot1x.
I was curious about the device writeback path too and how it worked for you. Sounds risky, with potential disruptions for users!
I also tried device writeback, but it ended up messing up existing AD objects, causing major issues during working hours. That's why I'm focusing on user certificates now.