I work at a smaller, development-focused company with some more prominent clients. One of these customers had new conditions for contractors, basically forcing us to implement 802.1x for our office.
We are currently running a Windows Server as our DC and AD.
Our office has 3 Switches relevant to this change. One is in our Server room and connected to another switch in the office space. This switch connects to most clients, but one location in the office doesn't have enough wire in the wall; therefore, there is a smaller switch for the missing clients. All of them are Smart switches capable of 802.1x and RADIUS.
I have installed the Network Policy Service on our DC and added RADIUS clients for the switches mentioned. I did configure NPS and RADIUS according to the Microsoft documentation using their Wizard. (RADIUS Server for 802.1x wireless or wired connections, selecting "secure wired", Microsoft: Smartcard or other certificates, adding our employee and devices groups).
I also enabled 802.1x on all three mentioned switches, configured RADIUS to use our DCs IP Address and default port, setting their specific secret.
This works until I Switch a Port from "Authorized" to "Auto" which should start using the configured RADIUS server for validation. After that, I always lose my connection, regardless of what switch I'm testing on.
Additionally, there are no log entries in the Windows event log on the DC.
The goal is to allow only clients registered in our AD to connect to our LAN network. Ideally, this would be certificate-based and automatic.
I'm out of Ideas to test; therefore, I'd like to ask what I'm missing.
I feel like I should be installing some certificates on my clients, but that could theoretically be done by the Windows Server itself.
I also need to learn how to properly debug RADIUS. I did use radlogin4, but this only reports Connection timeouts when sending a test Authentication.
