What Craig is saying is what we *thought* we had working. We must be missing something in our setup. Craig, would it be possible to contact you or someone in your shop offline of this list to discuss?
Thanks Matt -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Pluchinsky Sent: Thursday, February 07, 2013 8:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer? We do something like this with laptops. The machines are a member of a domain and have a group policy set that "Authentication Mode" is User or Computer authentication. Then on the radius server (Microsoft IAS) we have a rule for computers and a rule for domain users. When the laptop is first turned on it auth's as the computer account. When the user logs in it re-auths as the user account. ------------------------------- Craig Pluchinsky IT Services Indiana University of Pennsylvania 724-357-3327 On Thu, 7 Feb 2013, Ashfield, Matt (NBCC) wrote: > > Well ideally, the scenario we’d like is: > > Computer boots up to login screen. User logs in, and is at that point > (or earlier) connected/authenticated to wifi by way of having > authenticated the computer and the user credentials. At that point, login > scripts and whatnot are able to run as the windows OS loads. > > I’m sure this is not a unique situation. Is anyone else doing something > similar? > > > > Thanks > > Matt > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Heath > Barnhart > Sent: Wednesday, February 06, 2013 5:32 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND > computer? > > > > Reading this technet page it looks like you can specify a condition of > the computer being in a Machine Group and User being in User Group. > I'm not an AD guy, so I don't understand the difference between the > two groups, but as I recall different condition types are evaluated with an > AND, so in theory you could do it that way. I'm interested in this as well, > but haven't had time to play with it. > > > Heath Barnhart, CCNA > > ITS Network Administrator > > Washburn University > > Topeka, KS > > > On 02/06/2013 02:25 PM, Ashfield, Matt (NBCC) wrote: > > Hello > > > We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. > What we’d like to do is authenticate the device (make sure it is a > domain PC) as well as the user (make sure they are a domain user). > From what I can tell, it seems like we can do 1 or the other, but not both. > It may be possible with a different Radius server from what I’ve read (Cisco > ACS seems to have a wizard for this), but I’m wondering if anyone is doing > this today using MSoft’s radius server? > > > > Any info you can provide is appreciated. > > > > Thanks > > > > > > Matt > > > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
