Security

I have read through all post regarding the machine authentication, but still couldn't figure out how to do it...Perhaps someone can highlight me....Our setup as below:


-Windows 2008 (Radius Server) + Aruba controller (without Clearpass)

-We need to ensure "user authentication and machine authentication", so that only domain computer can connect to corporate wireless.


Sound simple, i know i need to config "enforce machine authentication" in 802.1x profile, and setup the NPS policy properly, but i couldn't find what is the details as below questions:


1. Machine Authentication: Default Machine Role, what should i set it? (set up a role then assign vlan to it?)
2. Machine Authentication: Default User Role, what should i set it? (set up a role then assign vlan to it?)
3. From NPS policy, i have added condition that only these user groups (domain computers and domain users) can access?
4. From NPS radius attributes, i have configure tunnel-type as VLAN and assign vlan 100 for Users once authentication is successful.

So far only user authentication is working as i can see from the NPS logs, the computer boot up and trying to use machine authentication, NPS logs show that (Domain\Computer_name) has denied access.

Really no idea what need to configure in order the machine authentication kick in...

In NPS, you need a policy that looks for the group Domain Computers.

Right now i have only 1 policy in NPS, which is allow domain computers and domain users to acccess. So should seperate it to 2 policies? 1 for domain computers and 1 for domain users?

 

I have configured 2 policies, 1 for user group-domain users, 1 for machine group-domain computers, and my laptop is able to access via machine authentication, but when i use my phone to login, i am still able to access with my user authentication. How should i make it only domain computers can login?

I wanted to achieve the same thing at one time and discovered you cannot achieve that with radius and NPS. It is only possible to test on one condition with NPS that is are they a valid user or is it a valid device. It is not possible to test on both conditions. So if they are pass one they will be allowed to connect. I'm not fully sure of the technical reasons for the limitation. 

I have config 2 policies in NPS, 1 for domain users and other 1 for domain computers, also enable the enforce machine authentication. Machine Authentication: Default Machine Role configured as authenticated, and Machine Authentication: Default User Role denyall. Am i configured in a correct way? And i noticed that from the radius server event viewer, when i boot up my computer and login, i will have 2 events for machine authentication (successfully login) and 2 events for user authentication (successfully login). Also i can't login using my phone now with valid AD account.

In order to allow non-domain devices you need to put another beside the denyall on the default user role auth

Get Outlook for iOS

My objective is to allow only domain computers and domain users to access, so non-domain devices is not allow to connect.

You cannot do that with NPS.  NPS can only check one authentication at a time, so it cannot "remember" if the device a user is on successfully machine authenticated before a user authentication.

 

The only way to sort of do this is to setup your laptops to only authenticate with machine credentials and in your NPS policy only only allow the "Domain Computers" group to authenticate.  This would mean that only the machine would authenticate, but users would still have to authenticate at the logon prompt to the computer/network to do anything.  This means the users would still be subjected to the same level of authentication and ONLY domain machines can get onto the wireless.

So with this method, i don't even need to enable option "enforce machine authentication" in wireless controller, right? Only in NPS config 1 policy for machine authentication and force user to use machine authenticaiton only on their computer.

Old thread but can NPS still only do one condition?

I cannot check user and computer group.