Matt, I know Aruba wireless has a setting to enforce machine authentication. That means that machine authentication must succeed before the user authentication will be allowed. Other wireless vendors may have a similar setting. I do not know of any similar setting for Cisco IOS, though.
We do not use this feature because we allow student computers on our secure network. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Ashfield, Matt (NBCC) [mailto:matt.ashfi...@nbcc.ca] Sent: Thursday, February 7, 2013 10:39 AM Subject: Re: using Microsoft Radius to authenticate user AND computer? Thanks Jonathan. We had the "User or Computer" feature working. However, what we discovered is that you could take a non-domain computer and login. Then turn on wireless and authenticate with valid user credentials. This results in a valid user authenticated on your wireless, but from a non-valid machine (we are not at the BYOD stage for our non-student networks yet). This could be partially alleviated by requiring the user to validate the radius server cert (and having that cert issued by an internal CA which can only be validated by domain computers), however that's just a setting on the client wireless profile, and can therefore be easily changed. >From googling around, it does seem like Cisco's ACS does have some >functionality available to support this user AND computer scenario, but I'm >not sure of the details on that, and it appears Msoft's Radius/NPS doesn't >have the same functionality. Matt From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Haynes, Jonathan Sent: Thursday, February 07, 2013 10:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer? Hi Matt, I think you may be going to have a problem. We used to do this but it relied on a feature in our wireless controller (Trapeze, now Juniper) which may or may not be in other controllers. It also caused problems. This was a few years ago so things may have improved although I'm not aware of any changes that would solve the problems for us. Windows can authenticate as user, computer or 'user and computer'. However the latter means that it authenticates the user if someone is logged on and the computer otherwise. So the sequence is that on boot the computer logs on and then when a user logs on to the device the computer logs off and the user logs on. Juniper controllers have a feature called bonded authentication which means that when a user logs on it then checks if there was a computer login from the same device within the previous x seconds (x configurable default 60). Only if this is the case is user authentication allowed to proceed. The problem with this is that if somebody takes their device out of wireless range or hibernates it then when it reconnects later only user authentication is tried because the user has not logged off as far as the device is concerned. This fails because no computer authentication took place recently enough. Telling users that they must always shutdown and not hibernate/sleep caused too many complaints so we dropped bonded authentication. Wherever you are doing this (in the controller or in the RADIUS server) needs some sort of state table that remembers computer logons and pairs them with later user logons. This may become an issue with us again as there are now requests to review the level of network access given to wireless devices which may well result in different requirements for personal devices and University owned ones. My thought was to probably turn domained devices to computer authentication only (the username used for computer authentication is host/machine.fqdn so that can be used to trigger sending appropriate RADIUS attributes for policy/VLAN etc.) and use AD logs to determine who was logged on to a particular machine if there are any issues. Google for machine authentication and you will find a lot more information. Jonathan -- ---------------------------------------------------------------------- Jonathan Haynes Senior Network Specialist IT Department, Tel: Bedford (01234) 754205 Bld 63, Bedford (01234) 750111 Extn 4205 Cranfield University Fax: Bedford (01234) 751814 Wharley End, Cranfield, e-mail: j.hay...@cranfield.ac.uk<mailto:j.hay...@cranfield.ac.uk> Beds, MK43 0AL. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ashfield, Matt (NBCC) Sent: 06 February 2013 20:26 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] using Microsoft Radius to authenticate user AND computer? Hello We have Cisco 5508 controllers using Microsoft 2008r2 radius back-end. What we'd like to do is authenticate the device (make sure it is a domain PC) as well as the user (make sure they are a domain user). From what I can tell, it seems like we can do 1 or the other, but not both. It may be possible with a different Radius server from what I've read (Cisco ACS seems to have a wizard for this), but I'm wondering if anyone is doing this today using MSoft's radius server? Any info you can provide is appreciated. Thanks Matt ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.