Wireless 802.1x for Machine Auth only using NPS

Today I had to setup wireless access for a group of PCs that were to be used in a training room where wired access was limited. The problem was that the site only had 802.1x wireless access available based upon AD user account which wouldn’t do the job here as though the people using the training PC’s would have AD accounts they wouldn’t be able to log in to the PC’s as the wireless wouldn’t kick in until after they had authenticated. To solve this problem I implemented an alternate login method for the existing wireless network that used the AD computer account to authenticate using Protected EAP-MSCHAPv2. This way the PCs connected to the wireless network before anyone logged in. It took a while to get the settings right so I figured it was worth posting.

There are plenty of posts about setting up 802.1x wireless access in an AD environment so I am not going to go into any details about that here.

There are 3 main components:

  • An AD Group containing the Computer Accounts of the PC’s in question.
  • A Group Policy to apply the relevant settings to the PC’s.
  • A Network Policy on the NPS server used to authenticate wireless access.

NOTE: After the components were in place, the PCs did need to be connected once via a wired connection to obtain the relevant settings, they would then operate wirelessly.


The AD Group is pretty self explanatory, just populate it with the relevant Computer Accounts.


The Group Policy should be linked to a relevant OU and configured to use Security Filtering to only apply to the above AD Group. Settings are as follows:

Computer Configuration – Policies – Windows Settings – Security Settings – Wireless Network (IEEE 802.11) Policies

Right click and create a new policy for Windows Vista and Later Releases


Enter a suitable Policy Name and Description

Click Add at the bottom

Enter a Profile Name and add the SSID of the wireless network you are connecting to. I generally make the Profile Name the same as the SSID as it is what appears as the network name on the client PC’s

Tick the box labelled “Connect automatically when this network is in range” and if the SSID is hidden (which is generally seen as a bad idea these days, refer here) tick the box labelled “Connect even if the network is not broadcasting”

Go to the Security tab at the top

Set Authentication to “WPA2-Enterprise”

Set Encryption to “AES-CCMP”

Set the network authentication method to “Microsoft: Protected EAP (PEAP)

Set the Authentication Mode to “Computer authentication”

Click the Properties button

Tick the boxes for “Verify the servers identity by validating the certificate” and “Connect to these servers” and then add in the FQDN of each of your NPS servers separated by semi colons.

In the Trusted Root Certification Authorities box, tick your CA (This should already be listed in a working NPS environment)

Change Notification before connecting to “Don’t ask user to authorize new servers or trusted CAs”

Set the Authentication Method to “Secured password (EAP-MSCHAP v2)

Tick the box labelled “Enable Fast Reconnect”

Click Configure

Remove the tick from the box labelled “Automatically use my Windows logon name and password”




Go to the Network Permissions tab

My goal here was to tighten up security as much as possible and prevent fiddling, these settings may not be suitable for your environment.

Tick the box for “Prevent connections to ad-hoc networks”

Remove the tick for “Prevent connections to infrastructure networks”

Tick the box for “Allow user to view denied networks”

Remove the tick for “Allow everyone to create all user profiles”

Tick the box for “Only use Group Policy profiles for allowed networks”

Tick the box for “Dont allow hosted networks”

Tick the box for “Dont allow shared user credentials for network authentication”

Remove the tick for “Enable block period”

Tick the box for “Dont allow Wi-Fi Direct groups”



Now we are ready for the NPS network policy.

On the NPS server, right click Policies – Network Policy and select New

Enter a suitable name and leave the Type of network access server as Unspecified.


Add the following conditions:

Windows Group – The name of the AD Group created earlier containing the Computer Accounts

NAS Port Type – Wireless – IEEE802.11


Select “Access Granted”


Clear the tick boxes from the “Less secure authentication methods” section

Click Add

Select “Microsoft: Protected EAP (PEAP)”


Select “Microsoft: Protected EAP (PEAP)” and click Edit

Select the relevant server certificate (This should already be listed in a working NPS environment)

Tick the box for “Enable Fast Reconnect”

Click Add

Select “Secured password (EAP-MSCHAP v2)





Select NAP Enforcement in the left pane and remove the tick from “Enable auto-remediation of client computers”



Make sure the new Policy has a suitable Processing order set, in my case I had it at number 1


Job done!

11 Comments on "Wireless 802.1x for Machine Auth only using NPS"

  1. You sir had done an awesome job to clearly share a true technical knowledge, not the typical deliberately wrong information one would find all over on the Cisco forums. Good work!


    1. Cheers Boyan!

      My posts are always based upon real life working examples so they should all work as detailed.




  2. Hi Kirin

    I have followed your article “Wireless 802.1x for Machine Auth only using NPS”

    I am using Server 2019 and have found that Microsoft have deprecated “Network Access Protection (NAP), Health Registration Authority ”
    in the last part of your instructions you mention to “auto-remediation of client computers” in the 2019 server install i do not observer this option. will this make a difference if i dont have this option


  3. Hi Kiran,

    I admire your document as it worked like a charm for me.
    Although, I am not able to work things out with non windows pcs in my office.
    I am talking aboun Ubuntu.
    Yes, the ubuntu laptops are joined to my domain and I am able to login to them with my AD credentials without any trouble.
    But I am not able to connect to my access points using the computer authentication method.
    I am just hoping that you might have some experience about this issue too.
    Can you guide us.

    Makarand Maha.


  4. Thank you very much for this easy to understand explanation! I highly appreciate that!

    I assume this works only on Windows machines, not with Mac/Linux machines, even though they are member of the AD?



  5. Good Post, i am working on AD migration project and trying to troubleshooting wireless connectivity for the new domain PC using the old wireless infrastructure.
    i migrated a laptop to new domain and tried to connect to wireless but it is not successful “can’t connect to network”

    In the old domain NPS server, i saw a event logged with event id 6273 reason code 265.

    what are the things i have to look into in order to troubleshoot it.


  6. I have the NPS working as expected with AD but now I have five (5) apple based products that needs to connect also. I have MAC authentication added to the NPS but I can’t get the MACs to verify.


  7. Great post but… what about Wifi configuration on the controller? Can you post some extra info about that?


Leave a Reply

Your email address will not be published. Required fields are marked *