On 6 February 2013 20:25, Ashfield, Matt (NBCC) <[email protected]> wrote: > Hello > > > We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What > we’d like to do is authenticate the device (make sure it is a domain PC) as > well as the user (make sure they are a domain user). From what I can tell, > it seems like we can do 1 or the other, but not both. It may be possible > with a different Radius server from what I’ve read (Cisco ACS seems to have > a wizard for this), but I’m wondering if anyone is doing this today using > MSoft’s radius server?
I don't think there is an EAP method that will simultaneously *authenticate* both machine and user passwords. However, you can probably achieve what you want by using PEAP with SoH enabled - the user would be authenticated and the machine name would be sent to the radius server as part of the authn. You could then check the machine name in your radius server policy (but note there is nothing to stop the user configuring a home machine to have a name equal to one of your machines. You could potentially match on something more binding e.g. MS-Correlation-ID though...). All the client functionality to do this is built in to Windows - refer to Microsoft docs, or the "client configuration" section here for a concise version of how to enable: https://github.com/alandekok/freeradius-server/blob/master/doc/SoH.txt Radius server side - MS NPS must support SoH stuff [IAS probably not], but whether it's policy is flexible enough to do this I don't know. You could certainly do this with FreeRADIUS. An example of the extra attributes you get when a user auths with PEAP, and SoH is enabled on their client: Packet-Type = Access-Request SoH-Supported = yes SoH-MS-Machine-OS-vendor = Microsoft SoH-MS-Machine-OS-version = 6 SoH-MS-Machine-OS-release = 1 SoH-MS-Machine-OS-build = 7600 SoH-MS-Machine-SP-version = 0 SoH-MS-Machine-SP-release = 0 SoH-MS-Machine-Processor = x86 SoH-MS-Machine-Name = "it999999.ads.bris.ac.uk" SoH-MS-Correlation-Id = 0x5e293730acad480681e353df6f5749ee01ce05531eebb281 SoH-MS-Machine-Role = client SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=0 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "firewall ok snoozed=0 microsoft=1 up2date=1 enabled=0" SoH-MS-Windows-Health-Status = "antivirus ok snoozed=0 microsoft=0 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=0 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "antispyware ok snoozed=0 microsoft=1 up2date=1 enabled=1" SoH-MS-Windows-Health-Status = "auto-updates ok action=install by-policy=1" SoH-MS-Windows-Health-Status = "security-updates ok all-installed" User-Name = "<redacted>@bris.ac.uk" Calling-Station-Id = "00:26:b6:ff:ff:ff" Called-Station-Id = "18:33:9d:ff:ff:ff:eduroam" NAS-Port = 13 Cisco-AVPair = "audit-session-id=ac116bccfffa26dd5113d663" NAS-IP-Address = 172.17.107.254 NAS-Identifier = "wism4" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "999" Kind regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
