Security

Hello everyone !

After many research, i can't find a way to use machine authentification on my WLAN.

I would like to allow machine joind the SSID without using users credentials, but the  AD machine account.

The objective is to build an automatic connexion to a specific SSID before the user use his credentials.

At the moment, it's not working, and here is what i saw in the controller logs :

<ERRS> |authmgr|  RADIUS reject for station host/SC54052.informatique.prod b4:ae:2b:cc:d7:4c from server RADIUS.

Any help will be appreciated !

Thanks

- Which radius server are you using?

- Look at the reject message on the Radius Server to see what the problem is.  Typically you would have to allow authentication from the "Domain Computers" AD group...

Hello and thanks for the reply.

I'm using a 2008R2 NPS.

I've done some test, and i almost did what i wanted to.

I'm now able to use machine authentification, so users (on WIN10) can now access the SSID without using their credentials, and before opening their sessions.

For that, I changed the wireless setting to use "machine authentification" instead of "user authentification OR machine authentification".

But the behavior i would like to have is :

 - First check if machine is in AD, if yes, then ok for connection

 - If Machine is not in AD, ask for credentials

So i have my two network policies :

 - First one check if machine is in AD

 - Second check if user is in AD

But when i "use user authentification OR machine authentification", it ask first for credential.

And every credential that i tried dont works.

I have to open my windows sessions, and then i can connect.

Hope my explenations are clear...

But the behavior i would like to have is :
 - First check if machine is in AD, if yes, then ok for connection
 - If Machine is not in AD, ask for credentials

The combination of the NPS server/Windows client does not have the logic to do what you are asking.  NPS can only process a single authentication at a time and cannot combine user and machine authentication to make a decision.

If you use machine authentication ONLY on the client, the client machine will get an ip address at the ctrl-alt-delete prompt, and Windows will ask the user to authenticate.  The authentication that Windows asks for is not passed through to the wireless network over radius; it is submitted through the existing connection that the machine obtained through machine authentication.  If the user does not have a valid username/password, they will not be able to get into the machine, but the machine will have an ip address and can be managed at the ctrl-alt-delete prompt.   So, If you use machine authentication only, domain machines configured this way will not let non-domain users access machines over wireless.

If you want non-domain machines to connect, you have to setup their wireless connection as "user only", but do not allow Windows to automatically submit credentials (Under PEAP).  Non-domain machines typically have a user's personal credentials that they setup, that are not domain credentials, so you want the user to be prompted when connecting to the wireless...

I hope that makes sense.

Yes that totally does make sense.

If my understanding is right, the "use machine or user auth" is kind of useless setting then ?

Actually, my boss preffer that only machine in AD can access to the WIFI. So using "machine auth" only is a good solution for us.

Others will have to use our guest hotspot, like it should be (wich make sense too).

Thanks again for your help !

Correct!