Share via

Can NPS authenticate non-Domain computers via EAP-TLS?

Alex Wu 0 Reputation points
2025-03-31T10:11:48.86+00:00

Hi Everyone!

I tried to implement NPS to authenticate non-Domain joined computers by using computer certificate to access Cisco Wi-Fi, but failed.

My environment:

  1. Windows 2019 DC
  2. Windows 2019 CA + NPS
  3. Cisco WL3504 + AP1832I
  4. Windows 10 + Windows 11 non-Domain Clients

What I have tested

  1. Manually request a computer certificate from CA
  2. NPS Request policy (no domain computers selected), realm name replaced ^host/(.*) with DomainName$1% -> non-Domain clients can match request policy
  3. NPS Network policy -> no matter how I set the policy, NPS always goes to AD to match the computer account
  4. Then, I created a dummy computer account, even use the same thumbprint as the certificate of computer I've requested.
  5. Use the same computer certificate (non-Domain joined), I can use Cisco ISE to authenticate the certificate successfully.

My question:

  1. Does NPS really support EAP-TLS (computer certificate) for non-Domain joined computers? Is AD joined a must?(I found many documents online about NPS supporting certificate authentication for non-domain computers.)
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-04-02T02:22:29.7533333+00:00

    Hello Alex Wu,

    Thank you for posting in Q&A forum.

    Yes, NPS can support EAP-TLS for non-domain joined computers using computer certificates. But there are a few things to consider and set up to get this working smoothly:

    1. The client devices must have a valid computer certificate issued by a trusted Certificate Authority (CA). The NPS server must trust the CA that issued the client certificates. This typically involves installing the CA's root certificate on the NPS server.
    2. You need to configure NPS to accept EAP-TLS authentication. This involves setting up the appropriate network policies and connection request policies. Ensure that the EAP type (EAP-TLS) is supported by both the client devices and the NPS policy.
    3. For non-domain joined devices, you can use certificate mapping to associate the certificate with a user or computer account in Active Directory. This is not mandatory but can help in managing access control. Alternatively, you can configure NPS to accept certificates based on specific attributes, such as the Subject Alternative Name (SAN) value.
    4. Create policies in NPS that match the conditions for non-domain joined devices. This might include specifying the SSID for Wi-Fi connections or other relevant parameters. Ensure that the policies are correctly set up to handle the authentication requests from non-domain joined devices.
    5. If you encounter issues, check the NPS logs for detailed error messages. Common issues include mismatched certificates, incorrect policy configurations, or missing CA certificates.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. Jose Hernandez 0 Reputation points
    2025-05-06T18:27:41.8966667+00:00

    I'm on the same boat as the OP and hate to see answers without specific guidance.

    1. Our non-domain devices have a valid client authentication cert from our CA.
      1. The cert on the device has both the subject name and SAN with the device FQDN.
    2. The CA is trusted by the NPS server.
    3. The NPS policy is configured for EAP-TLS with the EAP Auth set to 'Microsoft: Smart Card or other certificate. Besides that, the only other condition is the NAS port type, set to the appropriate wireless types.

    Despite all this, the devices cannot connect to the Wifi network using it's certificate. NPS is still trying to match the device with an AD account and rejects the auth request. The audit logs simply stating 'The specified user account does not exist.'

    Here's my problem with the answer provided here by the MS people:

    1. "Alternatively, you can configure NPS to accept certificates based on specific attributes, such as the Subject Alternative Name (SAN) value." No links, no guidance on how this is accomplished. I'm yet to find anything in the NPS policies related to this.
    2. "Ensure that the policies are correctly set up to handle the authentication requests from non-domain joined devices." Meaning what? Again, no specifics. I've made this policy as vanilla as I can.

    Countless other searches have provided similar outcomes. So I'm calling bs on the notion that NPS can authenticate non-domain devices just using device certificates. It still wants an AD object associated with it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.