I assume you are only talking about Windows PCs since Macintosh either do machine only (System) authentication or User only (User or Login) authentication, but not both.
Microsoft designed their client RADIUS supplicant to do either machine or user authentication, but not both at the same time. Some wireless and RADIUS server vendors use different tricks to make both "sort of" work. I know Aruba controllers can cache the machine authentication and pair it with the user authentication, but we chose not to use that vendor-specific "hack". Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Heath Barnhart [mailto:heath.barnh...@washburn.edu] Sent: Wednesday, February 6, 2013 4:32 PM Subject: Re: using Microsoft Radius to authenticate user AND computer? Reading this technet<http://technet.microsoft.com/en-us/library/cc731220%28v=ws.10%29.aspx> page it looks like you can specify a condition of the computer being in a Machine Group and User being in User Group. I'm not an AD guy, so I don't understand the difference between the two groups, but as I recall different condition types are evaluated with an AND, so in theory you could do it that way. I'm interested in this as well, but haven't had time to play with it. Heath Barnhart, CCNA ITS Network Administrator Washburn University Topeka, KS On 02/06/2013 02:25 PM, Ashfield, Matt (NBCC) wrote: Hello We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What we'd like to do is authenticate the device (make sure it is a domain PC) as well as the user (make sure they are a domain user). From what I can tell, it seems like we can do 1 or the other, but not both. It may be possible with a different Radius server from what I've read (Cisco ACS seems to have a wizard for this), but I'm wondering if anyone is doing this today using MSoft's radius server? Any info you can provide is appreciated. Thanks Matt ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
