Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎09-06-2012

Allow RDP over 802.1x secured wireless

I'm wondering if following is possible:

 

We're trying to implement RDP so that IT can take over a PC that is not logged on. If a PC is logged in, they can take over, but not when It's not logged on.

 

Is this even possible (all clients are Win 7)

 

Security used is 802.1x with peap/MsChapv2.

MVP
Posts: 1,380
Registered: ‎05-28-2008

Re: Allow RDP over 802.1x secured wireless

[ Edited ]

Hi,

As far as i aware , the answer is - Nope.Because in 802.1x there is no Layer3 connectivity until user/machine got auth.And when user is logged out..It's like the certificate got missing info - so RDP will not work. (RDP Working in Layer3)

 

Me

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Allow RDP over 802.1x secured wireless

[ Edited ]

To accomplish what you want (without anyone logged on), you need to enable the Windows wireless supplicant to support both user and machine authentication.  Then, you need to make sure your RADIUS server is setup to allow the computers to also authenticate; and have an appropriate ACL applied to their role to allow RDP.

 

Example screen shot:

 

user-computer.jpg

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 9
Registered: ‎09-06-2012

Re: Allow RDP over 802.1x secured wireless

[ Edited ]

I've got enforce machine authentication enabled > should this stay like this? Default rule for machines is allow_all.

 

We've got it nearly working. Takeover can happen, but when IT takes over, we lose connection? If we check the PC > it's logged on with the user though...

Frequent Contributor I
Posts: 125
Registered: ‎07-06-2010

Re: Allow RDP over 802.1x secured wireless


PeterE wrote:

I've got enforce machine authentication enabled > should this stay like this? Default rule for machines is allow_all.

 

We've got it nearly working. Takeover can happen, but when IT takes over, we lose connection? If we check the PC > it's logged on with the user though...


This is going to be complicated :)  If your team is taking control of the machine at the login screen as soon as they log in it will do user authentication, but if they are loggin as the local admin or a user not allowed a radius login then you will loose your connection...

 

In the end I would setup a more restrictive computer role as opposed to allow all (and only allow what you need, DNS, DHCP, AD, RDP, etc...)  and then make a domain user or group and add it to the local admin group of those machines (you can do this VIA GPO), then make sure those users can actually authenticate and get a role using 802.1x user authentication.

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Allow RDP over 802.1x secured wireless

To allow computers to authenticate, you don't need the "enforce machine authentication" option, unless you truly want to enforce it (not allow non-domain machines on the network).  Without it checked, the computer or user can authenticate so long as the client and RADIUS server allow it.


The issue  you are seeing is that when the computer is on the wireless network with no one logged on you can RDP to it.  However, if the wireless configuration is set to use computer or user authentication, the system will switch over and authenticate as the user when you logon via RDP; thus dropping the connection.    You could try (although may not be desirable) to use computer only authentication (rather than user or computer).

 

I thought there was a way on the Windows side to not have the wireless switch to user authentication when logging in through an RDP session, but I don't recall where I saw that.  I'll post back if I can find it.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I
Posts: 9
Registered: ‎09-06-2012

Re: Allow RDP over 802.1x secured wireless

Users and computers fall in the same rule when authenticated (allow all), since there is already an internal firewall that takes care of everything, so we don't have to take care of that issue

New Contributor
Posts: 1
Registered: ‎01-28-2014

Re: Allow RDP over 802.1x secured wireless

Has anybody gotten this working?

 

same issue as others...  If user is logged into the pc and then connects via RDP even as the same user the connection drops and essentially doesn't even start working again until the user logs back into the pc locally.

 


any input is appreciated...

Guru Elite
Posts: 20,015
Registered: ‎03-29-2007

Re: Allow RDP over 802.1x secured wireless

rknighton,

 

This is a Windows issue, where the context is switched when you RDP into a device.

 

http://social.technet.microsoft.com/Forums/windows/en-US/507cd666-9c86-423c-bbed-789b9e975bd9/windows-7-rdp-and-8021x-authentication?forum=w7itpronetworking

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: