Security

Dear All,

is there any way to have enforce machine authentication and server derivation(with NPS) work along together?

i have problem with my customer, everytime they change password, they unable to login again. they have to use cable or login with their old password, connect to SSID with less security(PSK), do gpupdate..then voila..they able to log on with they new password.

i found out that the machine authentication not work, because then the client log off, i press ctrl+alt+del, i cant ping them, just to see if the machine connect to network or not.

i disable " enforce machine authentication" because when i use that setting, server derivation not working.

Machine Authentication should take place when the user logs out of the network, and the laptop should be able to get an ip address at the ctrl-alt-delete prompt.  Do you see the machine authentication happen when the user logs it?  If that is not happening, you need to make sure your wireless settings have your client authenticate as a user AND computer.  Your client should be able to change his/her password at the login prompt.

If you have everything configured and it is still not working, the only reason would be that the machine role and the full 802.1x role have different VLANs and breaks the connection on login.  Please make sure the machine does not switch VLANs when the user is logging into the network.

Yes i already make sure the client setting is ok. even i check the Single Sign-On option.

Could u elaborate more for below reply? little bit not understand.

"If you have everything configured and it is still not working, the only reason would be that the machine role and the full 802.1x role have different VLANs and breaks the connection on login.  Please make sure the machine does not switch VLANs when the user is logging into the network."

---

@wreqenize wrote:

Yes i already make sure the client setting is ok. even i check the Single Sign-On option.

 

Could u elaborate more for below reply? little bit not understand.

 

"If you have everything configured and it is still not working, the only reason would be that the machine role and the full 802.1x role have different VLANs and breaks the connection on login.  Please make sure the machine does not switch VLANs when the user is logging into the network."

---

You FIRST have to make sure that you see the machine authentication happening on the Radius Server when the user logs out, OR boots up to the CTRL-ALT-DEL screen.  Do you see that in the Event Viewer?

i saw the event at Radius(it shows machine ID, not username), but the request denied. the reason said : The connection request did not match any configured network policy.

i already put the Machine Group : Domain Computer at the Policies.

but user authentication works fine without any problems.after login, user able to connect like usual. but when i sign out, connection lost.

You need to create a separate remote access policy on NPS, exactly like the other one, but it allows the AD Group DOMAIN computers.  You cannot simply add Domain Computers to the AD Group.

You can also try removing the Windows user groups from the rule entirely to see if that works, but you should do the suggestion above.

Success with Above solution.

i create another policy(name it Machine Authentication Policy) and put Domain Computer at the Remote Access Policy inside the policy i create earlier. the i put the Policy above other policy(policy that grant user authentication). so the policy will allow Machine Authentication first, after that when user login, it will go to second policy that allow User Authentication.

Cant believe that support in this forum will be faster than the TAC. I've mailed them a couple days ago and their reply just asking for log-download.tar. no response further since that.

Thanks Colin..

one more problem...

after applying above step. i found some client having their Wireless Profile setting get automatically set to "Computer Authentication" only..not "User or computer authentication".(802.1x setting --> specify authentication mode)

the problem is, when they using "Computer Authentication" they stuck at the role they shouldn't. also the GPO Walpaper not working when this problem occur.

but when i change the the authentication mode to User and computer authentication, they able to get the role they should.

This problem happen if i remove the Wireless Profile, than reconnect to the SSID.

---

@wreqenize wrote:

one more problem...

after applying above step. i found some client having their Wireless Profile setting get automatically set to "Computer Authentication" only..not "User or computer authentication".(802.1x setting --> specify authentication mode)

the problem is, when they using "Computer Authentication" they stuck at the role they shouldn't. also the GPO Walpaper not working when this problem occur.

 

but when i change the the authentication mode to User and computer authentication, they able to get the role they should.

 

This problem happen if i remove the Wireless Profile, than reconnect to the SSID.

---

You are correct.  When you connect a domain computer to a 802.1x WLAN, Windows 7 automatically chooses Computer Authentication Only, which breaks your functionality.  Using a GPO to push out WLAN configuration is the best thing.  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-How-to-create-a-Wireless-Group-Policy-on-Windows-2008/td-p/11768

is there any other way out beside creating GPO for wireless profile?

kinda long way to ask my customer to create new GPO.

They would have to visit everyone's computer to make sure it is configured right.  If the computer is not configured using an image or group policy, anybody can delete or change the settings and break things...  I am not aware of any other way you can fix everyone's computer without touching them.

They should seriously look into group policy.

thanks...

i'll try to push them to create the GPO tomorrow morning, so the GPO will update all client ASAP.

some little note again..i'm able to connect some Win 7 user by changing the Authentication Mode to User or Computer Auth...but this is not happen on Win 8 user. they keep Limited when i change the Authentication Mode. even when the IP is changed to their assigned VLAN. Event viewer said all granted(User and Machine). still figure it out whether this problem comes from NPS or from Win 8.

thanks anyway..i'll get back here soon after GPO Pushed to clients.