![]() I then export a user certificate that works fine on a windows machine and import that into the MAC and again set to trusted in the login store. Then I use the common folder and install the VPN and NPS certificates on the MAC in the login store, set them to trusted. The certificate being my internal CA certificate which is what the server certificate on the radius server was issued from and also the client certificates. I download the EAPTLS client, in the Radius Root Cert box I paste the base 64 code without the begin cert and end cert parts. Its likely something I am missing on the MAC client side or radius side. I may be very well be doing something wrong, the same client certificate work fine on a windows machine with the same VNG and radius server so I don’t think PKI health or cert revocation is the problem. When I get another instance I will update with my findings, I would like to see it one more time before saying for sure this was the fix., if you have any thoughts though, always appreciated. ![]() I am not sure why it is registering them as these are corporate devices and not BYOD which seems to be the purpose for it, we have office 365 installed on the same machines and I cant seem to get a test machine to register the cert to re-create the problem. These machines in Azure AD Devices are showing twice, once as Hybrid Azure AD joined which will be from our AD sync and once from Azure AD registered. It feels like it might have been trying to use that for the client auth on auto instead of the one issued by the internal CA. I am not 100% sure as this is two users and I was doing a few things but the resolution I think seemed to be to delete a certificate in the user store which had been issued by MS-Organization-Access for Client Authentication – I hadn’t seen this cert before, once I did that auto connect worked again. Thanks for the quick reply, I have handed the laptop back now and also had another user with the same thing, so unable to check that key. However the device will still not logon with non cached credentials. We’ve also run the portqry tool against the predefined Domains and Trusts query when connected over the device tunnel which returns all results as successful. We’ve defined single hosts /32 in the xml config as per the microsoft documentation to include all domain controllers. We’ve turned off all firewalls, AV and checked the interface metrics are all correct. It’s the only issue I can see as to why the logon would be failing to contact the DC’s from the logon screen for non cached users. Pathping and tracert to IP also resolves all hop names correctly, it is literally only a normal ping that returns ping request could not find host for both hostname and FQDN. If we ping the DNS/DC by IP it answers and if we open NSlookup it shows the correct NameServers and resolves all of lookups fine both host and FQDN. That is the strange thing, and I assumed the same, but if we look at the VPN connection (Get-NetIPConfiguration | Where-Object InterfaceAlias -eq “Device Tunnel”) we can see the two DNS/DCs listed by IP. ![]() Windows 10 Always On VPN Device Tunnel Missing in the Windows UIĭeleting a Windows 10 Always On VPN Device Tunnel Windows 10 Always On VPN Device Tunnel Configuration using PowerShell To ensure the device tunnel connects automatically, upgrade to Windows 10 Enterprise 1709 or later and join it to a domain. The Windows 10 Always On VPN device tunnel is supported only on Windor later Enterprise edition clients that are domain-joined. This scenario will occur when the device tunnel configuration is applied to a Windows 10 Professional edition client. This can occur even when ProfileXML is configured with the AlwaysOn element set to “true”.Īn administrator can establish a device tunnel connection manually using rasdial.exe however, indicating no issues with connectivity or authentication that would prevent a successful automatic connection. When configuring a Windows 10 Always On VPN device tunnel, the administrator may encounter a scenario in which the device tunnel does not connect automatically. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |