Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2233
Views
10
Helpful
4
Replies

Wireless dot1x client and user authentication by NPS

Go to solution
schulcz
Level 1
Level 1

‎05-04-2020 07:53 AM - edited ‎07-05-2021 12:01 PM

Hi Guys,

 

Our customer would like to accomplish this:
- Only specified domain users can connect to corporate SSID from domain PCs.

 

So:

- Non-domain clients (PCs) not allowed to connect to the corporate SSID at all. (regardless of the user)
- Users who are not members of the special group will not be able to connect to the corporate SSID from a domain PC nor.

 

They use AD infrastructure, there are WLC and NPS too, but there is no ISE server. Is it possible with NPS (without ISE)?
Do I think it will be necessary to use the PEAP-EAP-TLS protocol?
I am less familiar with Microsoft systems, if the above need can be resolved, can I ask for a description of the process to help the customer about the NPS / AD configuration?

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to schulcz

‎05-05-2020 11:14 PM

This is quite a classic question, and one that only concerns Windows clients, since only Windows devices can be domain joined, and in addition, Windows clients have an additional distinction between Machine Authentication, and user Authentication. The job of any RADIUS server is made quite tricky here because, depending on configuration of the Windows client's supplicant (the config that determines how the 802.1X connection is made), the situation can unfold in a number of ways:

Supplicant set to Machine Auth Only

- machine boots up and associates to network before any user has logged in (using the machine creds of the domain joined PC)

- user A logs in - no network event occurs. user A then logs off

- user B logs in - no network event occurs

- PC goes to sleep mode - and then some time later, wakes up again - machine is now offline until user logs off or reboots

 

 

Supplicant set to User Auth Only

- machine boots up and has no network connectivity

- user A logs in - network event occurs to RADIUS server. user A then logs off. PC is offline again

- user B logs in - network event occurs to RADIUS server

- PC goes to sleep mode - and then some time later, wakes up again - machine is online again because supplicant sent EAPOL event

 

Supplicant set to Machine or User Auth

- mixture of above and requires that Machine Cert and user cert exists on each machine - in Windows you cannot mix EAP-TLS and EAP-PEAP - the EAP methods have to be the same for both types of authentication

 

Let's not even get started on moving from wired to wireless ... your RADIUS server will be thoroughly confused because now there is more than one MAC address involved, and if you did a machine auth on the LAN, then ISE/RADIUS does not care/know that you are ok when you want to associate to the Wi-Fi - it will assume your PC was never authenticated before.

 

I think you should stick with the machine auth for now and give that a try. Let NPS authenticate the machine at boot time and include an authorization condition to check whether the machine is a member of an AD Group (e.g. DomainComputers). It would be somewhat hard to not be a member of an AD Group if you're a domain computer ... but you get the point. Authorization policies that check for AD Security Group membership is possible in NPS. 

View solution in original post

4 Replies 4

Go to solution
Rasika Nayanajith
VIP
VIP

‎05-04-2020 02:12 PM

for 802.1X implementation, you need to have a RADIUS server that does not matter if it is Cisco ISE or Microsoft NPS. So you should be able to get it working without Cisco ISE.

Here is a blog post on NPS that may help you

http://wifinigel.blogspot.com/2014/03/microsoft-nps-as-radius-server-for-wifi_15.html 

 

HTH

Rasika

*** Pls rates all useful responses ***

0 Helpful

Go to solution
schulcz
Level 1
Level 1
In response to Rasika Nayanajith

‎05-05-2020 08:17 AM - edited ‎05-05-2020 08:18 AM

That's a great post about setting up certificates, useful, thanks!

 

But my main question was is that possible RADIUS (in this case the NPS) made decision by these 2 parameters, and only send back accept, if all of these are true at the same time? (domain member user tries to join by user/pw from a domain machine)

 

If yes, how could we done this on NPS, is there a guide for that?

 

Thanks!

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to schulcz

‎05-05-2020 11:14 PM

This is quite a classic question, and one that only concerns Windows clients, since only Windows devices can be domain joined, and in addition, Windows clients have an additional distinction between Machine Authentication, and user Authentication. The job of any RADIUS server is made quite tricky here because, depending on configuration of the Windows client's supplicant (the config that determines how the 802.1X connection is made), the situation can unfold in a number of ways:

Supplicant set to Machine Auth Only

- machine boots up and associates to network before any user has logged in (using the machine creds of the domain joined PC)

- user A logs in - no network event occurs. user A then logs off

- user B logs in - no network event occurs

- PC goes to sleep mode - and then some time later, wakes up again - machine is now offline until user logs off or reboots

 

 

Supplicant set to User Auth Only

- machine boots up and has no network connectivity

- user A logs in - network event occurs to RADIUS server. user A then logs off. PC is offline again

- user B logs in - network event occurs to RADIUS server

- PC goes to sleep mode - and then some time later, wakes up again - machine is online again because supplicant sent EAPOL event

 

Supplicant set to Machine or User Auth

- mixture of above and requires that Machine Cert and user cert exists on each machine - in Windows you cannot mix EAP-TLS and EAP-PEAP - the EAP methods have to be the same for both types of authentication

 

Let's not even get started on moving from wired to wireless ... your RADIUS server will be thoroughly confused because now there is more than one MAC address involved, and if you did a machine auth on the LAN, then ISE/RADIUS does not care/know that you are ok when you want to associate to the Wi-Fi - it will assume your PC was never authenticated before.

 

I think you should stick with the machine auth for now and give that a try. Let NPS authenticate the machine at boot time and include an authorization condition to check whether the machine is a member of an AD Group (e.g. DomainComputers). It would be somewhat hard to not be a member of an AD Group if you're a domain computer ... but you get the point. Authorization policies that check for AD Security Group membership is possible in NPS. 

Go to solution
schulcz
Level 1
Level 1
In response to Arne Bier

‎05-07-2020 11:16 PM

That's a very clear and helpful answer, Thank You!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card