05-04-2020 07:53 AM - edited 07-05-2021 12:01 PM
Hi Guys,
Our customer would like to accomplish this:
- Only specified domain users can connect to corporate SSID from domain PCs.
So:
- Non-domain clients (PCs) not allowed to connect to the corporate SSID at all. (regardless of the user)
- Users who are not members of the special group will not be able to connect to the corporate SSID from a domain PC nor.
They use AD infrastructure, there are WLC and NPS too, but there is no ISE server. Is it possible with NPS (without ISE)?
Do I think it will be necessary to use the PEAP-EAP-TLS protocol?
I am less familiar with Microsoft systems, if the above need can be resolved, can I ask for a description of the process to help the customer about the NPS / AD configuration?
Thanks!
Solved! Go to Solution.
05-05-2020 11:14 PM
This is quite a classic question, and one that only concerns Windows clients, since only Windows devices can be domain joined, and in addition, Windows clients have an additional distinction between Machine Authentication, and user Authentication. The job of any RADIUS server is made quite tricky here because, depending on configuration of the Windows client's supplicant (the config that determines how the 802.1X connection is made), the situation can unfold in a number of ways:
Supplicant set to Machine Auth Only
- machine boots up and associates to network before any user has logged in (using the machine creds of the domain joined PC)
- user A logs in - no network event occurs. user A then logs off
- user B logs in - no network event occurs
- PC goes to sleep mode - and then some time later, wakes up again - machine is now offline until user logs off or reboots
Supplicant set to User Auth Only
- machine boots up and has no network connectivity
- user A logs in - network event occurs to RADIUS server. user A then logs off. PC is offline again
- user B logs in - network event occurs to RADIUS server
- PC goes to sleep mode - and then some time later, wakes up again - machine is online again because supplicant sent EAPOL event
Supplicant set to Machine or User Auth
- mixture of above and requires that Machine Cert and user cert exists on each machine - in Windows you cannot mix EAP-TLS and EAP-PEAP - the EAP methods have to be the same for both types of authentication
Let's not even get started on moving from wired to wireless ... your RADIUS server will be thoroughly confused because now there is more than one MAC address involved, and if you did a machine auth on the LAN, then ISE/RADIUS does not care/know that you are ok when you want to associate to the Wi-Fi - it will assume your PC was never authenticated before.
I think you should stick with the machine auth for now and give that a try. Let NPS authenticate the machine at boot time and include an authorization condition to check whether the machine is a member of an AD Group (e.g. DomainComputers). It would be somewhat hard to not be a member of an AD Group if you're a domain computer ... but you get the point. Authorization policies that check for AD Security Group membership is possible in NPS.
05-04-2020 02:12 PM
for 802.1X implementation, you need to have a RADIUS server that does not matter if it is Cisco ISE or Microsoft NPS. So you should be able to get it working without Cisco ISE.
Here is a blog post on NPS that may help you
http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_15.html
HTH
Rasika
*** Pls rates all useful responses ***
05-05-2020 08:17 AM - edited 05-05-2020 08:18 AM
That's a great post about setting up certificates, useful, thanks!
But my main question was is that possible RADIUS (in this case the NPS) made decision by these 2 parameters, and only send back accept, if all of these are true at the same time? (domain member user tries to join by user/pw from a domain machine)
If yes, how could we done this on NPS, is there a guide for that?
Thanks!
05-05-2020 11:14 PM
This is quite a classic question, and one that only concerns Windows clients, since only Windows devices can be domain joined, and in addition, Windows clients have an additional distinction between Machine Authentication, and user Authentication. The job of any RADIUS server is made quite tricky here because, depending on configuration of the Windows client's supplicant (the config that determines how the 802.1X connection is made), the situation can unfold in a number of ways:
Supplicant set to Machine Auth Only
- machine boots up and associates to network before any user has logged in (using the machine creds of the domain joined PC)
- user A logs in - no network event occurs. user A then logs off
- user B logs in - no network event occurs
- PC goes to sleep mode - and then some time later, wakes up again - machine is now offline until user logs off or reboots
Supplicant set to User Auth Only
- machine boots up and has no network connectivity
- user A logs in - network event occurs to RADIUS server. user A then logs off. PC is offline again
- user B logs in - network event occurs to RADIUS server
- PC goes to sleep mode - and then some time later, wakes up again - machine is online again because supplicant sent EAPOL event
Supplicant set to Machine or User Auth
- mixture of above and requires that Machine Cert and user cert exists on each machine - in Windows you cannot mix EAP-TLS and EAP-PEAP - the EAP methods have to be the same for both types of authentication
Let's not even get started on moving from wired to wireless ... your RADIUS server will be thoroughly confused because now there is more than one MAC address involved, and if you did a machine auth on the LAN, then ISE/RADIUS does not care/know that you are ok when you want to associate to the Wi-Fi - it will assume your PC was never authenticated before.
I think you should stick with the machine auth for now and give that a try. Let NPS authenticate the machine at boot time and include an authorization condition to check whether the machine is a member of an AD Group (e.g. DomainComputers). It would be somewhat hard to not be a member of an AD Group if you're a domain computer ... but you get the point. Authorization policies that check for AD Security Group membership is possible in NPS.
05-07-2020 11:16 PM
That's a very clear and helpful answer, Thank You!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide