Security

Reply
New Contributor

NPS policy question. Require user to be on domain computer.

Is it possible to create a radius rule that requires a user to be in a security group and be using a domain joined computer. 

I created a policy that contains the security group the user is in and I added the computer group "Domain Computers" but this does not work. Security logs show the users is not matching any network policies. 

My WiFi policy on the client machine is set o use user or computer authentication. I am running an Aruba 3400, windows 2K8 R2 NPS. 

 

Thanks

Wayne B. 

Guru Elite

Re: NPS policy question. Require user to be on domain computer.

It is not possible in NPS.  The problem is NPS only acts on the current authentication (user) and not the status of the device that the user is authenticating from (Is this device part of the domain or has it authenticated as a machine in the past?).  Other Radius platforms like ClearPass Policy Manager allow you to do this.

 

As an alternative, you can use "Enforce Machine Authentication" on the controller to solve part of your issue:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-801



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: NPS policy question. Require user to be on domain computer.

How are we supposed to do this with CPPM without machine enforcement?

 

I can only think of allowing user authentication, then use the profiler option that would test with WMI if the machine belongs to the domain and cast the new role.

 

Or run machine authentication then use the NAC agent in auth mode to authenticate the user afterwards and change the role.

 

Is there a better way? I am facing the same NPS issue here and we are trying to sell the CPPM option.

Guru Elite

Re: NPS policy question. Require user to be on domain computer.

This is only possible when combining Computer + User authentication in the supplicant.

 

The other alternative would be machine certificates.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: NPS policy question. Require user to be on domain computer.

Excuse me for my lack of understanding, but, what do you mean by machine certificates? Deploy certs to do EAP-TTLS authenticating the machine wioth the cert then the user with the inner method? If his is the case, it won't do since I have Windows 7 machines too that do not support EAP-TTLS out of the box (W8+ do).

 

Also, do you think my two previous proposals (WMI profiling or NAC based for double auth) could work or are just wishful thinking?

 

Sorry, I always had so many questions on this matter. It would be awesome if you could write one of those master pieces you do on this topic of customers wanting to restrict access to network both machine and user using standard Windows supplicant (shameless request for your spare time to be wasted on our problems).

 

[EDITED] I think I messed up with my EAP-TTLS concepts. No machine certs for EAP-TTLS I believe. Reading throught the RFC now to learn (https://tools.ietf.org/html/rfc5281). Still confused on the machine certs.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: