cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
211
Views
10
Helpful
4
Replies
Highlighted
Beginner

Wireless dot1x client and user authentication by NPS

Hi Guys,

 

Our customer would like to accomplish this:
- Only specified domain users can connect to corporate SSID from domain PCs.

 

So:

- Non-domain clients (PCs) not allowed to connect to the corporate SSID at all. (regardless of the user)
- Users who are not members of the special group will not be able to connect to the corporate SSID from a domain PC nor.

 

They use AD infrastructure, there are WLC and NPS too, but there is no ISE server. Is it possible with NPS (without ISE)?
Do I think it will be necessary to use the PEAP-EAP-TLS protocol?
I am less familiar with Microsoft systems, if the above need can be resolved, can I ask for a description of the process to help the customer about the NPS / AD configuration?

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: Wireless dot1x client and user authentication by NPS

This is quite a classic question, and one that only concerns Windows clients, since only Windows devices can be domain joined, and in addition, Windows clients have an additional distinction between Machine Authentication, and user Authentication. The job of any RADIUS server is made quite tricky here because, depending on configuration of the Windows client's supplicant (the config that determines how the 802.1X connection is made), the situation can unfold in a number of ways:

Supplicant set to Machine Auth Only

- machine boots up and associates to network before any user has logged in (using the machine creds of the domain joined PC)

- user A logs in - no network event occurs. user A then logs off

- user B logs in - no network event occurs

- PC goes to sleep mode - and then some time later, wakes up again - machine is now offline until user logs off or reboots

 

 

Supplicant set to User Auth Only

- machine boots up and has no network connectivity

- user A logs in - network event occurs to RADIUS server. user A then logs off. PC is offline again

- user B logs in - network event occurs to RADIUS server

- PC goes to sleep mode - and then some time later, wakes up again - machine is online again because supplicant sent EAPOL event

 

Supplicant set to Machine or User Auth

- mixture of above and requires that Machine Cert and user cert exists on each machine - in Windows you cannot mix EAP-TLS and EAP-PEAP - the EAP methods have to be the same for both types of authentication

 

Let's not even get started on moving from wired to wireless ... your RADIUS server will be thoroughly confused because now there is more than one MAC address involved, and if you did a machine auth on the LAN, then ISE/RADIUS does not care/know that you are ok when you want to associate to the Wi-Fi - it will assume your PC was never authenticated before.

 

I think you should stick with the machine auth for now and give that a try. Let NPS authenticate the machine at boot time and include an authorization condition to check whether the machine is a member of an AD Group (e.g. DomainComputers). It would be somewhat hard to not be a member of an AD Group if you're a domain computer ... but you get the point. Authorization policies that check for AD Security Group membership is possible in NPS. 

View solution in original post

4 REPLIES 4
Highlighted
VIP Mentor

Re: Wireless dot1x client and user authentication by NPS

for 802.1X implementation, you need to have a RADIUS server that does not matter if it is Cisco ISE or Microsoft NPS. So you should be able to get it working without Cisco ISE.

Here is a blog post on NPS that may help you

http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_15.html 

 

HTH

Rasika

*** Pls rates all useful responses ***

Highlighted
Beginner

Re: Wireless dot1x client and user authentication by NPS

That's a great post about setting up certificates, useful, thanks!

 

But my main question was is that possible RADIUS (in this case the NPS) made decision by these 2 parameters, and only send back accept, if all of these are true at the same time? (domain member user tries to join by user/pw from a domain machine)

 

If yes, how could we done this on NPS, is there a guide for that?

 

Thanks!

Highlighted
VIP Advocate

Re: Wireless dot1x client and user authentication by NPS

This is quite a classic question, and one that only concerns Windows clients, since only Windows devices can be domain joined, and in addition, Windows clients have an additional distinction between Machine Authentication, and user Authentication. The job of any RADIUS server is made quite tricky here because, depending on configuration of the Windows client's supplicant (the config that determines how the 802.1X connection is made), the situation can unfold in a number of ways:

Supplicant set to Machine Auth Only

- machine boots up and associates to network before any user has logged in (using the machine creds of the domain joined PC)

- user A logs in - no network event occurs. user A then logs off

- user B logs in - no network event occurs

- PC goes to sleep mode - and then some time later, wakes up again - machine is now offline until user logs off or reboots

 

 

Supplicant set to User Auth Only

- machine boots up and has no network connectivity

- user A logs in - network event occurs to RADIUS server. user A then logs off. PC is offline again

- user B logs in - network event occurs to RADIUS server

- PC goes to sleep mode - and then some time later, wakes up again - machine is online again because supplicant sent EAPOL event

 

Supplicant set to Machine or User Auth

- mixture of above and requires that Machine Cert and user cert exists on each machine - in Windows you cannot mix EAP-TLS and EAP-PEAP - the EAP methods have to be the same for both types of authentication

 

Let's not even get started on moving from wired to wireless ... your RADIUS server will be thoroughly confused because now there is more than one MAC address involved, and if you did a machine auth on the LAN, then ISE/RADIUS does not care/know that you are ok when you want to associate to the Wi-Fi - it will assume your PC was never authenticated before.

 

I think you should stick with the machine auth for now and give that a try. Let NPS authenticate the machine at boot time and include an authorization condition to check whether the machine is a member of an AD Group (e.g. DomainComputers). It would be somewhat hard to not be a member of an AD Group if you're a domain computer ... but you get the point. Authorization policies that check for AD Security Group membership is possible in NPS. 

View solution in original post

Highlighted
Beginner

Re: Wireless dot1x client and user authentication by NPS

That's a very clear and helpful answer, Thank You!

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey