Actually, This is something I too am trying to setup. Craig, would you mind sharing your IAS setup with me as well? I have been tasked with doing this setup, however I am not ever sure where to begin. E.g. Do I need a CA or can this just be performed through straight radius using PEAP. Perhaps it is something else? I am in the very early stages of looking at this, but we have a 2003 & 2008 IAS setup.
Thanks! -dan Daniel Foerst Network & Security The Catholic University of America Washington, DC 20064 On 2/7/13 9:06 AM, "Ashfield, Matt (NBCC)" <[email protected]> wrote: >What Craig is saying is what we *thought* we had working. We must be >missing something in our setup. Craig, would it be possible to contact >you or someone in your shop offline of this list to discuss? > >Thanks > >Matt > >-----Original Message----- >From: The EDUCAUSE Wireless Issues Constituent Group Listserv >[mailto:[email protected]] On Behalf Of Craig Pluchinsky >Sent: Thursday, February 07, 2013 8:53 AM >To: [email protected] >Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user >AND computer? > >We do something like this with laptops. The machines are a member of a >domain and have a group policy set that "Authentication Mode" is User or >Computer authentication. Then on the radius server (Microsoft IAS) we >have a rule for computers and a rule for domain users. When the laptop >is first turned on it auth's as the computer account. When the user logs >in it re-auths as the user account. > > >------------------------------- >Craig Pluchinsky >IT Services >Indiana University of Pennsylvania >724-357-3327 > > >On Thu, 7 Feb 2013, Ashfield, Matt (NBCC) wrote: > >> >> Well ideally, the scenario we¹d like is: >> >> Computer boots up to login screen. User logs in, and is at that point >> (or earlier) connected/authenticated to wifi by way of having >> authenticated the computer and the user credentials. At that point, >>login scripts and whatnot are able to run as the windows OS loads. >> >> I¹m sure this is not a unique situation. Is anyone else doing something >>similar? >> >> >> >> Thanks >> >> Matt >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:[email protected]] On Behalf Of Heath >> Barnhart >> Sent: Wednesday, February 06, 2013 5:32 PM >> To: [email protected] >> Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user >>AND computer? >> >> >> >> Reading this technet page it looks like you can specify a condition of >> the computer being in a Machine Group and User being in User Group. >> I'm not an AD guy, so I don't understand the difference between the >> two groups, but as I recall different condition types are evaluated >>with an AND, so in theory you could do it that way. I'm interested in >>this as well, but haven't had time to play with it. >> >> >> Heath Barnhart, CCNA >> >> ITS Network Administrator >> >> Washburn University >> >> Topeka, KS >> >> >> On 02/06/2013 02:25 PM, Ashfield, Matt (NBCC) wrote: >> >> Hello >> >> >> We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. >> What we¹d like to do is authenticate the device (make sure it is a >> domain PC) as well as the user (make sure they are a domain user). >> From what I can tell, it seems like we can do 1 or the other, but not >>both. It may be possible with a different Radius server from what I¹ve >>read (Cisco ACS seems to have a wizard for this), but I¹m wondering if >>anyone is doing this today using MSoft¹s radius server? >> >> >> >> Any info you can provide is appreciated. >> >> >> >> Thanks >> >> >> >> >> >> Matt >> >> >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >>http://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >>http://www.educause.edu/groups/. >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >>http://www.educause.edu/groups/. >> >> >> > >********** >Participation and subscription information for this EDUCAUSE Constituent >Group discussion list can be found at http://www.educause.edu/groups/. > >********** >Participation and subscription information for this EDUCAUSE Constituent >Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
