Domain Laptops only to be connected to wifi AP with RADIUS NPS

  • 1
  • Question
  • Updated 2 years ago

Hi all,

As the title states I am trying to setup a Aerohive 130 AP with Pass through RADIUS to our In house (Microsoft) NPS. 

I only want Domain Laptops to connect. I would prefer not to use certificates, What is the best way to do this?

I have set a policy for Users Groups and for a Computer Group. But if a system is not in the user group the user details allow the system to connect.


 

Any input or ideas would be great.

Photo of Mr Os

Mr Os

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Gary Babin

Gary Babin

  • 21 Posts
  • 5 Reply Likes
Unless I misunderstood something your conditions list conflicts with your stated goal, Mr. Os. In the above you allow either a certain group of users or a certain group of machines. Remove the user group and only domain laptops can connect. Your laptops will, if joined to a domain, already filter out anyone but a domain user (if the guest account is disabled).

Hope this helps..
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
As Gary has stated you will want to use "Machine Authentication" but you will also want to make sure your Domain Laptops have their 802.1X Supplicant configured correctly. You will want to make sure through Group Policy that your Domain Computers are configured as Computer Authentication (which is same as Machine) Only, that will force the computer to only authenticate using Machine Host Name rather than User Name that is provided at Single Sign On.  You can also make this change on a per client basis, for testing but GPO will be the most efficient way to make it.

I would recommend looking at your NPS logs to help you troubleshoot this, go to Event Viewer and look for NPS logs, they will provide you a wealth of information. 
(Edited)
Photo of Mr Os

Mr Os

  • 3 Posts
  • 0 Reply Likes
Sorry if I was not clear. I would like to allow users to log in via their Domain Accounts, but on only systems that we can control via a select group.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You cannot do this properly or securely without using a third-party supplicant/third-party EAP types as what Windows implements out of the box does not support chaining. You get a choice of either machine authentication or user authentication, but not both at the same time.

What you can do is check a client's MAC address via the Calling-Station-Id attribute as 802.1X authentication for the user takes place.
(Edited)
Photo of Mr Os

Mr Os

  • 3 Posts
  • 0 Reply Likes
Thanks Nick. I will stick with just machine authentication