Security

I'm wondering if following is possible:

We're trying to implement RDP so that IT can take over a PC that is not logged on. If a PC is logged in, they can take over, but not when It's not logged on.

Is this even possible (all clients are Win 7)

Security used is 802.1x with peap/MsChapv2.

Hi,

As far as i aware , the answer is - Nope.Because in 802.1x there is no Layer3 connectivity until user/machine got auth.And when user is logged out..It's like the certificate got missing info - so RDP will not work. (RDP Working in Layer3)

Me

To accomplish what you want (without anyone logged on), you need to enable the Windows wireless supplicant to support both user and machine authentication.  Then, you need to make sure your RADIUS server is setup to allow the computers to also authenticate; and have an appropriate ACL applied to their role to allow RDP.

Example screen shot:

I've got enforce machine authentication enabled > should this stay like this? Default rule for machines is allow_all.

We've got it nearly working. Takeover can happen, but when IT takes over, we lose connection? If we check the PC > it's logged on with the user though...

---

@PeterE wrote:

I've got enforce machine authentication enabled > should this stay like this? Default rule for machines is allow_all.

 

We've got it nearly working. Takeover can happen, but when IT takes over, we lose connection? If we check the PC > it's logged on with the user though...

---

This is going to be complicated :)  If your team is taking control of the machine at the login screen as soon as they log in it will do user authentication, but if they are loggin as the local admin or a user not allowed a radius login then you will loose your connection...

In the end I would setup a more restrictive computer role as opposed to allow all (and only allow what you need, DNS, DHCP, AD, RDP, etc...)  and then make a domain user or group and add it to the local admin group of those machines (you can do this VIA GPO), then make sure those users can actually authenticate and get a role using 802.1x user authentication.

To allow computers to authenticate, you don't need the "enforce machine authentication" option, unless you truly want to enforce it (not allow non-domain machines on the network).  Without it checked, the computer or user can authenticate so long as the client and RADIUS server allow it.

The issue  you are seeing is that when the computer is on the wireless network with no one logged on you can RDP to it.  However, if the wireless configuration is set to use computer or user authentication, the system will switch over and authenticate as the user when you logon via RDP; thus dropping the connection.    You could try (although may not be desirable) to use computer only authentication (rather than user or computer).

I thought there was a way on the Windows side to not have the wireless switch to user authentication when logging in through an RDP session, but I don't recall where I saw that.  I'll post back if I can find it.

Users and computers fall in the same rule when authenticated (allow all), since there is already an internal firewall that takes care of everything, so we don't have to take care of that issue

Has anybody gotten this working?

same issue as others...  If user is logged into the pc and then connects via RDP even as the same user the connection drops and essentially doesn't even start working again until the user logs back into the pc locally.

any input is appreciated...

rknighton,

This is a Windows issue, where the context is switched when you RDP into a device.

http://social.technet.microsoft.com/Forums/windows/en-US/507cd666-9c86-423c-bbed-789b9e975bd9/windows-7-rdp-and-8021x-authentication?forum=w7itpronetworking