Matt,
Yes, without some extra feature either within your RADIUS server or your
wireless controller you can't enforce the AND. That is what Juniper does with
their bonded authentication and I have read that Aruba have a similar feature.
We no longer use MS IAS but I think you are right there is no such feature in
it. I have never used ACS so can't comment.
If you just want to prevent BYOD on specific networks then I would think
setting authentication to computer only and writing your IAS/NPS policy to only
accept usernames of the form host/xxx.your.AD.domain for connections on that
SSID should work. It means you can't use the RADIUS logs to discover who was
using a specific machine at a specific time - you have to cross match with
domain controller authentication logs for the actual user logon. Whether that
is an issue depends on your actual circumstances.
If you want to provide different VLANs depending on if somebody is logged
on or the computer is just sitting there then you definitely need the extra
functionality.
Jonathan
--
----------------------------------------------------------------------
Jonathan Haynes
Senior Network Specialist
IT Department, Tel: Bedford (01234) 754205
Bld 63, Bedford (01234) 750111 Extn 4205
Cranfield University Fax: Bedford (01234) 751814
Wharley End,
Cranfield, e-mail: [email protected]
Beds, MK43 0AL.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Ashfield, Matt (NBCC)
Sent: 07 February 2013 15:39
To: [email protected]
Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND
computer?
Thanks Jonathan.
We had the "User or Computer" feature working. However, what we discovered is
that you could take a non-domain computer and login. Then turn on wireless and
authenticate with valid user credentials. This results in a valid user
authenticated on your wireless, but from a non-valid machine (we are not at the
BYOD stage for our non-student networks yet). This could be partially
alleviated by requiring the user to validate the radius server cert (and having
that cert issued by an internal CA which can only be validated by domain
computers), however that's just a setting on the client wireless profile, and
can therefore be easily changed.
>From googling around, it does seem like Cisco's ACS does have some
>functionality available to support this user AND computer scenario, but I'm
>not sure of the details on that, and it appears Msoft's Radius/NPS doesn't
>have the same functionality.
Matt
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Haynes, Jonathan
Sent: Thursday, February 07, 2013 10:49 AM
To:
[email protected]<mailto:[email protected]>
Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND
computer?
Hi Matt,
I think you may be going to have a problem.
We used to do this but it relied on a feature in our wireless controller
(Trapeze, now Juniper) which may or may not be in other controllers. It also
caused problems. This was a few years ago so things may have improved although
I'm not aware of any changes that would solve the problems for us.
Windows can authenticate as user, computer or 'user and computer'. However
the latter means that it authenticates the user if someone is logged on and the
computer otherwise. So the sequence is that on boot the computer logs on and
then when a user logs on to the device the computer logs off and the user logs
on.
Juniper controllers have a feature called bonded authentication which means
that when a user logs on it then checks if there was a computer login from the
same device within the previous x seconds (x configurable default 60). Only if
this is the case is user authentication allowed to proceed.
The problem with this is that if somebody takes their device out of wireless
range or hibernates it then when it reconnects later only user authentication
is tried because the user has not logged off as far as the device is concerned.
This fails because no computer authentication took place recently enough.
Telling users that they must always shutdown and not hibernate/sleep caused too
many complaints so we dropped bonded authentication.
Wherever you are doing this (in the controller or in the RADIUS server) needs
some sort of state table that remembers computer logons and pairs them with
later user logons.
This may become an issue with us again as there are now requests to review the
level of network access given to wireless devices which may well result in
different requirements for personal devices and University owned ones. My
thought was to probably turn domained devices to computer authentication only
(the username used for computer authentication is host/machine.fqdn so that can
be used to trigger sending appropriate RADIUS attributes for policy/VLAN etc.)
and use AD logs to determine who was logged on to a particular machine if there
are any issues.
Google for machine authentication and you will find a lot more information.
Jonathan
--
----------------------------------------------------------------------
Jonathan Haynes
Senior Network Specialist
IT Department, Tel: Bedford (01234) 754205
Bld 63, Bedford (01234) 750111 Extn 4205
Cranfield University Fax: Bedford (01234) 751814
Wharley End,
Cranfield, e-mail:
[email protected]<mailto:[email protected]>
Beds, MK43 0AL.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Ashfield, Matt (NBCC)
Sent: 06 February 2013 20:26
To:
[email protected]<mailto:[email protected]>
Subject: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND
computer?
Hello
We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What
we'd like to do is authenticate the device (make sure it is a domain PC) as
well as the user (make sure they are a domain user). From what I can tell, it
seems like we can do 1 or the other, but not both. It may be possible with a
different Radius server from what I've read (Cisco ACS seems to have a wizard
for this), but I'm wondering if anyone is doing this today using MSoft's radius
server?
Any info you can provide is appreciated.
Thanks
Matt
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
