NPS and environment with WAN link

Discussion in 'Business & Enterprise Computing' started by phrosty-boi, Jun 27, 2019.

  1. phrosty-boi

    phrosty-boi Member

    Joined:
    Jun 27, 2003
    Messages:
    1,081
    Location:
    Altona
    Hi All,
    Got an odd one that I'm having trouble getting a decent answer to, long story short we are looking at changing our current wifi to use AD credentials or computer authentication to connect

    However for our sites across the WAN, how would this be effected if the WAN link goes down?

    I've had this kind of setup before with a single site and it worked without any dramas, but not sure how this would all go in an environment with WAN links

    I know if we use cert based authentication that the client would likely need to be able to talk to our PKI infrastructure to see if the cert is valid and I'm also aware that the NPS server needs to be able to validate it's cert against PKI as well

    Do 802.1x credentials whether user or computer get cached on the client so that they can still access wifi i the WAN goes down? As I can' seem to find a clear answer on technet or otherwise
     
  2. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,208
    Location:
    Adelaide
    You'll need to find another way to provide access to your RADIUS from remote sites if the Internet service isn't reliable. Perhaps consider JumpCloud or some other cloud hosted service that syncs credentials from your AD; that way at least an internet failure will only affect that particular (remote) site. HQ can still have local RADIUS via NPS or similar.
     
  3. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    5,626
    Location:
    NSW

    Do your remote sites have any kind of local DC?
     
  4. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,259
    Location:
    Baulkham Hills, Sydney.
    Consider an RODC on the remote sites? can still provide radius then.
     
  5. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,663
    Location:
    Pooraka Maccas drivethrough
    Couple of thoughts:
    - Can the users in the remote office actually do any productive work if the WAN link goes down?
    - Are redundant/dual WAN interfaces an option in the remote sites? (eg fixed line and LTE)


    edit: IME, and this depends on the number/size/complexity/business value of remote sites, going down the branch server infrastructure path can quickly become more costly to operate than having a reliable, fault tolerant WAN.
     
    Last edited: Jun 28, 2019
  6. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,437
    Location:
    Brisbane
    I use radius auth for wifi at remote sites. If they can't get back to our DC they're probably not gonna get much work done anyway :)
     
  7. OP
    OP
    phrosty-boi

    phrosty-boi Member

    Joined:
    Jun 27, 2003
    Messages:
    1,081
    Location:
    Altona
    hey guys thanks for the replies, didn't get the email notification that there were replies... whoops
    all the remote sites have a DC except one which is getting installed this year
    all the remote sites have redundant WAN links already
    critical apps are cloud hosted, but I believe internet access in general might be done through head office (MPLS based WAN network)
    I gave this more thought late in the week and thinking of maybe even a local NPS at each of the remote sites configured appropriately as each site has a wifi controller
    I think the only issue might be the cert / computer account based auth and how that would work - can you do computer authenticated radius without the cert part being required on the client? I know user based auth doesn't need a client cert it's just the NPS server which needs one
    Seems like I've got some reading to do on computer based auth... as the docs aren't clear on computer based auth, or I've not found the right part of them yet
     
  8. 7nothing

    7nothing Member

    Joined:
    Feb 15, 2002
    Messages:
    1,437
    Location:
    Brisbane
    Never tried, don't think so, just go with cert based and auto enroll. If you have devices that aren't domain members, they may support manual cert enrol, or AD user account auth, or separate SSID with PSK
     
  9. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,307
    Location:
    Canberra
    consider the following context: your client device has a digital certificate issued by an internal CA, which is chain of trust by an off-line root CA.

    when the Windows NPS attempts validate your certificate, whilst it's chained to the same root of trust, your NPS will need access to the published Certificate Revocation List - Distribution Point, this may be http/https/smb as defined in your device certificate (provided by the issuing certificate provider - template)

    If the CRL-DP is off-line, your NPS can't validate your certificate for revocation, and it will stop your client from connecting.

    For on prem managed certificates (say 1 yr validity) your CRL is leveraged to deactivate certificates from further systems access, by disabling this feature you're no longer leveraging certificate revocation.

    WPA-PSK sounds much easier ;)

    A far easier approach is to partition the network to use PSK for internet and then 802.1x over the internet. NPS H/A requirements are reduced along with many other benefits.
     
    Last edited: Jul 1, 2019
  10. tensop

    tensop Member

    Joined:
    Mar 26, 2002
    Messages:
    1,409
    that's a really long way of saying wpa2 is better
     

Share This Page

Advertisement: