Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎08-17-2016

Enforce Machine Authentication and user authentication with Windows NPS

I have read through all post regarding the machine authentication, but still couldn't figure out how to do it...Perhaps someone can highlight me....Our setup as below:


-Windows 2008 (Radius Server) + Aruba controller (without Clearpass)

-We need to ensure "user authentication and machine authentication", so that only domain computer can connect to corporate wireless.


Sound simple, i know i need to config "enforce machine authentication" in 802.1x profile, and setup the NPS policy properly, but i couldn't find what is the details as below questions:


1. Machine Authentication: Default Machine Role, what should i set it? (set up a role then assign vlan to it?)
2. Machine Authentication: Default User Role, what should i set it? (set up a role then assign vlan to it?)
3. From NPS policy, i have added condition that only these user groups (domain computers and domain users) can access?
4. From NPS radius attributes, i have configure tunnel-type as VLAN and assign vlan 100 for Users once authentication is successful.

So far only user authentication is working as i can see from the NPS logs, the computer boot up and trying to use machine authentication, NPS logs show that (Domain\Computer_name) has denied access.

Really no idea what need to configure in order the machine authentication kick in...

Guru Elite
Posts: 8,794
Registered: ‎09-08-2010

Re: Enforce Machine Authentication and user authentication with Windows NPS

In NPS, you need a policy that looks for the group Domain Computers.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎08-17-2016

Re: Enforce Machine Authentication and user authentication with Windows NPS

[ Edited ]

Right now i have only 1 policy in NPS, which is allow domain computers and domain users to acccess. So should seperate it to 2 policies? 1 for domain computers and 1 for domain users?NPS.JPG

 

Occasional Contributor I
Posts: 6
Registered: ‎08-17-2016

Re: Enforce Machine Authentication and user authentication with Windows NPS

I have configured 2 policies, 1 for user group-domain users, 1 for machine group-domain computers, and my laptop is able to access via machine authentication, but when i use my phone to login, i am still able to access with my user authentication. How should i make it only domain computers can login?

New Contributor
Posts: 3
Registered: ‎08-19-2016

Re: Enforce Machine Authentication and user authentication with Windows NPS

I wanted to achieve the same thing at one time and discovered you cannot achieve that with radius and NPS. It is only possible to test on one condition with NPS that is are they a valid user or is it a valid device. It is not possible to test on both conditions. So if they are pass one they will be allowed to connect. I'm not fully sure of the technical reasons for the limitation. 

Occasional Contributor I
Posts: 6
Registered: ‎08-17-2016

Re: Enforce Machine Authentication and user authentication with Windows NPS

I have config 2 policies in NPS, 1 for domain users and other 1 for domain computers, also enable the enforce machine authentication. Machine Authentication: Default Machine Role configured as authenticated, and Machine Authentication: Default User Role denyall. Am i configured in a correct way? And i noticed that from the radius server event viewer, when i boot up my computer and login, i will have 2 events for machine authentication (successfully login) and 2 events for user authentication (successfully login). Also i can't login using my phone now with valid AD account.

MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: Enforce Machine Authentication and user authentication with Windows NPS

In order to allow non-domain devices you need to put another beside the denyall on the default user role auth

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 6
Registered: ‎08-17-2016

Re: Enforce Machine Authentication and user authentication with Windows NPS

My objective is to allow only domain computers and domain users to access, so non-domain devices is not allow to connect.

Guru Elite
Posts: 21,587
Registered: ‎03-29-2007

Re: Enforce Machine Authentication and user authentication with Windows NPS

You cannot do that with NPS.  NPS can only check one authentication at a time, so it cannot "remember" if the device a user is on successfully machine authenticated before a user authentication.

 

The only way to sort of do this is to setup your laptops to only authenticate with machine credentials and in your NPS policy only only allow the "Domain Computers" group to authenticate.  This would mean that only the machine would authenticate, but users would still have to authenticate at the logon prompt to the computer/network to do anything.  This means the users would still be subjected to the same level of authentication and ONLY domain machines can get onto the wireless.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎08-17-2016

Re: Enforce Machine Authentication and user authentication with Windows NPS

So with this method, i don't even need to enable option "enforce machine authentication" in wireless controller, right? Only in NPS config 1 policy for machine authentication and force user to use machine authenticaiton only on their computer.

Search Airheads
Showing results for 
Search instead for 
Did you mean: