NPS 2602 series


#1

Good afternoon. I really need help with the settings of the NPS and 2602 series. We have our own PCI and PC structure on Windows server 2022 + Wi Fi UNIFI WPA2 Enterprise. There are no problems with the entry of domain PCs. Issued a certificate for the 2602w phone. They specified the name of the type PH001 in it. A computer named PH001 was created in Active Directory. They tied a certificate to it. We specified the dNS name PH001.domain.local, Upload the certificate for PH001 and ROOT Server PKI certification in crt format to the phone. The name in the phone is PH001$. On an NPC, we get error 22. “Client authentication cannot be verified because this type of EAP protocol cannot be processed by the server.” Please tell me how to properly configure the authorization of phones on NPS? We tried the names in the certificates PH001, PH001$, PH 001.domain.local PH001$.domain.local. Authorization by domain login and password takes place if you do not specify the ROOT certificate in the phone. In the NPC policy, they changed all the settings and ticked all the boxes. Thanks. And question 2 - is it possible to somehow request certificates for all 100 phones in automatic mode? Thanks.


#2

#3

Have you tried to change the used EAP method,

See if the answer included in this link below would help!


#4

I have tried the following types: Smart Card, EAP-PEAP MSCHAPV2. I can connect the phone to the network using the username and password of the domain user and without specifying the CA certificate. If I specify the CA certificate, I will not be able to log in using the password and the user (It is not possible to verify the authenticity of the client, since this type of EAP protocol cannot be processed by the server). If I try to connect using a certificate and specify the wrong device name, I will get an error (The specified user account does not exist.). When I connect a certificate with names (P0455 PH045$, PH045.domain.local, PH045$@domain.local) and I connect the same certificate to the computer account that I created in my domain, then I get an error. (It is not possible to verify the authenticity of the client, since this type of EAP protocol cannot be processed by the server). I need the phone to log in using a certificate without entering a username and password.


#5

Managed to get the following message on the network policy server:

The network policy server granted access to the user.

User:
Security ID: DOMAIN\PH045$
Account Name: PH045$
Account domain: DOMAIN
Full account name: DOMAIN\PH045

If you disable the PH045 computer account, the policy server reports that the account is disabled
But the phone still doesn’t connect to the network…At the same time, the connection takes place without problems using the username and password of the user. Laptops are also connected without problems according to the issued certificate…


#6

Hey Mikhail can you advise on how you are connecting your phone using a username and a password
are you using the 802.1X with wifi or ethernet?
if possible let me know your steps to configure this


#7

Good afternoon. It’s just very simple:

  1. I created a user in AD domain\ip phone connect with a password. And included it in the Vlan 77 group
    2.The NPS server has created a network policy. Conditions “If the user is a member of the Vlan77 group and the request comes from a WiFi access point”. In Restrictions “Authentication method - Microsoft:Protected EAP(PEAP)/ Protected Password MS-CHAP2.” In the Parameters, I assigned the desired VLAN
    3.The type of Wi-FI network on the WPA-Enterprise access point (802.1x)
  2. On the phone, I selected the desired network, the type of PEAP. The ROOT certificate was not needed.
    I know it’s not safe and I’m still waiting for an answer on my question. Why, when connecting via TLS through a certificate issued to a computer, my NPS server says OK and lets the device into the network and the phone does not connect…
    In general, the GrandStream 2602 is not exactly a corporate phone in my opinion…


#8


#9

Thank you for the follow up,
I will be testing this too and and give a feedback.