Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

This thread has been viewed 3 times

  • 1.  Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

    Posted Jul 19, 2016 08:37 AM

    Hi, Using Virtual Controller on Instant, I have configured an SSID with 802.1x to authenticate computers against Active Directory. This is working fine.

    The same Radius server, NPS on Server 2008R2, is configured to allow user authentication (needed for other reasons).

    Now, if employees connect to my "managed computers" SSID from eg their iPhone, they are prompted to log in with AD credentials, and then allowed through.

    I have looked at Access rules, and Roles, but the question is, can I limit authentication to Machine only on one SSID / VLAN, and User only on a different SSID / VLAN?

    I would appreciate a point in the right direction. I could set up a seperate Radius server, but that doesn't feel very elegant!

    Many Thanks

    Adrian



  • 2.  RE: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

    EMPLOYEE


  • 3.  RE: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

    Posted Jul 19, 2016 10:02 AM

    Hi Colin, thanks for the reply. I am probably being thick, but I don't quite understand the two drop down options.

    When you check "enforce Machine Authentication" you get the two drop downs. One Machine auth only, and one User auth only.

    I don't want User Auth on this SSID, but I have to choose something for that...?

     

    Thanks

    Adrian



  • 4.  RE: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

    EMPLOYEE
    Posted Jul 19, 2016 10:10 AM

    If you already have your Windows clients configured for "Machine" only authentication, in your radius server, you would only need to allow users from the "domain computers" AD group and you would be done.  To recap, configure your windows clients for machine only authentication.  Configure your radius server to only allow authentication from the domain computers AD group.  If you do those two things, you will not need the IAP options from the knowledgebase article.

     

     



  • 5.  RE: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

    Posted Jul 19, 2016 10:17 AM

    Hi Colin, yes I get that, but the Radius server is currently used to authenticate users and Machines. The big BUT is that I want Machines on one SSID with unrestricted network access, and Users on a different SSID with restricted access.

    At present, though, Users can authenticate on the Machine SSID, and then have unrestricted network access.

    Plan B will be to set up a different Radius server for each group, I just wondered if I could lock down an SSID to Only authenticate Machines, regardless of whether the Radius server is capable of authenticating Users...



  • 6.  RE: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?
    Best Answer

    EMPLOYEE
    Posted Jul 19, 2016 11:20 AM

    The way to do this is to have one ssid and to have different roles depending on user or machine auth.

    The roles would have diffent levels or access and can even be different vlans.

     



  • 7.  RE: Hi, Can I use one Radius server to authenticate machine or user depending on VLAN?

    Posted Jul 19, 2016 12:11 PM

    Thanks Michael and Colin, Its looking good now.

    Adrian