Hi Matt,
I think you may be going to have a problem.
We used to do this but it relied on a feature in our wireless controller
(Trapeze, now Juniper) which may or may not be in other controllers. It also
caused problems. This was a few years ago so things may have improved although
I'm not aware of any changes that would solve the problems for us.
Windows can authenticate as user, computer or 'user and computer'. However
the latter means that it authenticates the user if someone is logged on and the
computer otherwise. So the sequence is that on boot the computer logs on and
then when a user logs on to the device the computer logs off and the user logs
on.
Juniper controllers have a feature called bonded authentication which means
that when a user logs on it then checks if there was a computer login from the
same device within the previous x seconds (x configurable default 60). Only if
this is the case is user authentication allowed to proceed.
The problem with this is that if somebody takes their device out of wireless
range or hibernates it then when it reconnects later only user authentication
is tried because the user has not logged off as far as the device is concerned.
This fails because no computer authentication took place recently enough.
Telling users that they must always shutdown and not hibernate/sleep caused too
many complaints so we dropped bonded authentication.
Wherever you are doing this (in the controller or in the RADIUS server) needs
some sort of state table that remembers computer logons and pairs them with
later user logons.
This may become an issue with us again as there are now requests to review the
level of network access given to wireless devices which may well result in
different requirements for personal devices and University owned ones. My
thought was to probably turn domained devices to computer authentication only
(the username used for computer authentication is host/machine.fqdn so that can
be used to trigger sending appropriate RADIUS attributes for policy/VLAN etc.)
and use AD logs to determine who was logged on to a particular machine if there
are any issues.
Google for machine authentication and you will find a lot more information.
Jonathan
--
----------------------------------------------------------------------
Jonathan Haynes
Senior Network Specialist
IT Department, Tel: Bedford (01234) 754205
Bld 63, Bedford (01234) 750111 Extn 4205
Cranfield University Fax: Bedford (01234) 751814
Wharley End,
Cranfield, e-mail: [email protected]
Beds, MK43 0AL.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Ashfield, Matt (NBCC)
Sent: 06 February 2013 20:26
To: [email protected]
Subject: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND
computer?
Hello
We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What
we'd like to do is authenticate the device (make sure it is a domain PC) as
well as the user (make sure they are a domain user). From what I can tell, it
seems like we can do 1 or the other, but not both. It may be possible with a
different Radius server from what I've read (Cisco ACS seems to have a wizard
for this), but I'm wondering if anyone is doing this today using MSoft's radius
server?
Any info you can provide is appreciated.
Thanks
Matt
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
