Security

Reply
New Contributor

Radius + AD + Machine auth before user logon

Hello everyone !

 

After many research, i can't find a way to use machine authentification on my WLAN.

 

I would like to allow machine joind the SSID without using users credentials, but the  AD machine account.

The objective is to build an automatic connexion to a specific SSID before the user use his credentials.

 

At the moment, it's not working, and here is what i saw in the controller logs :

<ERRS> |authmgr|  RADIUS reject for station host/SC54052.informatique.prod b4:ae:2b:cc:d7:4c from server RADIUS.

 

Any help will be appreciated !

 

Thanks

Guru Elite

Re: Radius + AD + Machine auth before user logon

- Which radius server are you using?

- Look at the reject message on the Radius Server to see what the problem is.  Typically you would have to allow authentication from the "Domain Computers" AD group...


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
New Contributor

Re: Radius + AD + Machine auth before user logon

Hello and thanks for the reply.

 

I'm using a 2008R2 NPS.

 

I've done some test, and i almost did what i wanted to.

 

I'm now able to use machine authentification, so users (on WIN10) can now access the SSID without using their credentials, and before opening their sessions.

 

For that, I changed the wireless setting to use "machine authentification" instead of "user authentification OR machine authentification".

 

But the behavior i would like to have is :

 - First check if machine is in AD, if yes, then ok for connection

 - If Machine is not in AD, ask for credentials

 

So i have my two network policies :

 - First one check if machine is in AD

 - Second check if user is in AD

 

But when i "use user authentification OR machine authentification", it ask first for credential.

And every credential that i tried dont works.

I have to open my windows sessions, and then i can connect.

 

Hope my explenations are clear...

 

Guru Elite

Re: Radius + AD + Machine auth before user logon

But the behavior i would like to have is :
 - First check if machine is in AD, if yes, then ok for connection
 - If Machine is not in AD, ask for credentials

The combination of the NPS server/Windows client does not have the logic to do what you are asking.  NPS can only process a single authentication at a time and cannot combine user and machine authentication to make a decision.

 

If you use machine authentication ONLY on the client, the client machine will get an ip address at the ctrl-alt-delete prompt, and Windows will ask the user to authenticate.  The authentication that Windows asks for is not passed through to the wireless network over radius; it is submitted through the existing connection that the machine obtained through machine authentication.  If the user does not have a valid username/password, they will not be able to get into the machine, but the machine will have an ip address and can be managed at the ctrl-alt-delete prompt.   So, If you use machine authentication only, domain machines configured this way will not let non-domain users access machines over wireless.

 

If you want non-domain machines to connect, you have to setup their wireless connection as "user only", but do not allow Windows to automatically submit credentials (Under PEAP).  Non-domain machines typically have a user's personal credentials that they setup, that are not domain credentials, so you want the user to be prompted when connecting to the wireless...

 

I hope that makes sense.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
New Contributor

Re: Radius + AD + Machine auth before user logon

Yes that totally does make sense.

 

If my understanding is right, the "use machine or user auth" is kind of useless setting then ?

 

Actually, my boss preffer that only machine in AD can access to the WIFI. So using "machine auth" only is a good solution for us.

Others will have to use our guest hotspot, like it should be (wich make sense too).

 

Thanks again for your help !

Guru Elite

Re: Radius + AD + Machine auth before user logon

Correct!


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: