We do something like this with laptops. The machines are a member of a
domain and have a group policy set that "Authentication Mode" is User or
Computer authentication. Then on the radius server (Microsoft IAS) we
have a rule for computers and a rule for domain users. When the laptop is
first turned on it auth's as the computer account. When the user logs in
it re-auths as the user account.
-------------------------------
Craig Pluchinsky
IT Services
Indiana University of Pennsylvania
724-357-3327
On Thu, 7 Feb 2013, Ashfield, Matt (NBCC) wrote:
Well ideally, the scenario we’d like is:
Computer boots up to login screen. User logs in, and is at that point (or
earlier) connected/authenticated to wifi by way of
having authenticated the computer and the user credentials. At that point,
login scripts and whatnot are able to run as the
windows OS loads.
I’m sure this is not a unique situation. Is anyone else doing something similar?
Thanks
Matt
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Heath
Barnhart
Sent: Wednesday, February 06, 2013 5:32 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND
computer?
Reading this technet page it looks like you can specify a condition of the
computer being in a Machine Group and User being in
User Group. I'm not an AD guy, so I don't understand the difference between the
two groups, but as I recall different condition
types are evaluated with an AND, so in theory you could do it that way. I'm
interested in this as well, but haven't had time to
play with it.
Heath Barnhart, CCNA
ITS Network Administrator
Washburn University
Topeka, KS
On 02/06/2013 02:25 PM, Ashfield, Matt (NBCC) wrote:
Hello
We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What
we’d like to do is authenticate the device (make sure
it is a domain PC) as well as the user (make sure they are a domain user). From
what I can tell, it seems like we can do 1 or the
other, but not both. It may be possible with a different Radius server from
what I’ve read (Cisco ACS seems to have a wizard for
this), but I’m wondering if anyone is doing this today using MSoft’s radius
server?
Any info you can provide is appreciated.
Thanks
Matt
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
