I want only company provided laptops can only connect my company ssid.

  • 1
  • Praise
  • Updated 3 years ago
I have a ssid configured secured with ad and 802.x authentication. I want only company provided laptops can only connect this ssid. Mac authentications is an option but it adds operational overhead.. All my laptop are joined in domain.
Photo of Gaurav Jain

Gaurav Jain

  • 1 Post
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Gaurav,

I assume that you are using Network Policy Server (NPS)?

This is easily solved by using machine/computer authentication via EAP-PEAP with an inner-EAP of EAP-TLS on Windows domain joined machines. That facilities client certificates being used.

Use client certificate auto-enrolment, configured via Group Policy, to deploy certificates and ensure that the private key for the certificate is marked/set so that it cannot be exported.

You will use the Certificate Services Role in Windows Server to achieve all this.
(If you are setting this up from scratch, choose SHA-256 not SHA-1 as the hash algorithm. You will probably also want to use 2048-bit RSA.)

There's documentation on the Web on how to configure all this. Google is your friend! :)

If you want further protection for the private key, ensure your users do not log on with elevated privileges - that they're not Administrators etc.

If you even want further protection, use full disk encryption via something like BitLocker.

This does mean that users won't log on to the wireless network with their own credentials, but that shouldn't be too much of an issue as they will additionally log on to the machine.

Regards,

Nick
(Edited)
Photo of Vernon Montford

Vernon Montford

  • 17 Posts
  • 0 Reply Likes
Also, you could create a GPO for an SSID to be pushed to devices in an AD security group and put computer objects in the security group.  The GPO SSID settings can have the option set for windows to login as the computer, not the user.  If you have your radius server authenticate against the security group and no user objects are in it, then only computer objects you approve of will be able to login.
(Edited)