Is it possible to?? Machine Authenticate with Active Directory and with other logic?

  • 1
  • Question
  • Updated 11 months ago
I'm not sure if this exact scenario has been asked or anything similar , so please forgive me if it's already posted somewhere (playing the word search game hasn't yielded enough to figure this out)

I'm trying to simplify our wireless infrastructure as much as possible (we finally swapped out the last of our Cisco LWAPPs for AeroHive, yay!!!!)

We have about 5 different SSIDs being broadcast, I'm trying to ideally bring this down to (1). Also each SSID has different security measures, some have 802.11x with RADIUS, Others WPA keys, and Web Portal AUP accept and allow.

Here is what I am looking to do, I want to remove our Microsoft NPS server (this was setup years ago and the certificates expired, the enterprise CA is long gone and I'd rather not rebuild a new one just for this), I know the AeroHive APs can act as a RADIUS Server and pull information from Active Directory.

What I want to do is:

Have any of our School Owned Devices that ARE Domain Joined be able to authenticate to an 802.11x SSID and be allowed on the wireless.

I know this can be done with Active Directory User Accounts but I can't seem to find anything that says we can or can't do the same with Active Directory Computer Accounts.

Forgive me, I'm not well-versed in Wireless LAN terminology but what I'm envisioning is:

Laptop A (which is LaptopA Computer Account in AD) attempts to connect to "Staff SSID", Laptop A passes it's hostname/computerAccount name to AP, AP sends that information to Active Directory, Active Directory returns that is a valid ComputerAccount, AeroHive allows Laptop to associate with SSID and places on VLAN 15.

This is basically Machine Authentication.

Is something like this possible?

If so how can this be done as simple as possible?

Thanks!
Photo of Raul S.

Raul S.

  • 1 Post
  • 0 Reply Likes
  • perplexed...

Posted 11 months ago

  • 1
Photo of Dan

Dan

  • 2 Posts
  • 1 Reply Like
Yes, it can be done, and we have been doing it since the inception of or Aerohive wireless network, about 2 years ago. We are a public school system with 22 sites. We are using AP230s everywhere. We chose 3 APs at each site and made them Primary, secondary, and terciary radius servers. (I'm not sold on that idea. When I tested it by disabling the Primary server at a site, some devices timed out before they discovered the secondary server.) Anyway, these are the notes I made on adding a RADIUS server and PSK:

Procedure to add a RADIUS Server and PSK for RADIUS authentication between Aerohive Manager and DC


In Aerohive
Configuration/Advanced Configuration/Authentication/AAA Client Settings
Click on HiveManagerLogin
Click New
Fill in:
     IP Address/Domain Name
     Shared Secret
     Confirm Secret
     Select Server Role
Click Apply
Click OK
Click Save

In AD:
Login to DC
Add Network Policy Server role, if necessary.
Restart the server.
Launch Network Policy Server
If you have previously exported an NPS file from one of your other DCs
Right-click on NPS Local
Click Import NPS File
Click Register Server in Active Directory
Navigate to the Service Manager
Stop the NPS service
Start the service

Join Radius Server APs to domain
Advanced Configuration -> Authentication -> AAA User Directory Settings -> Primary, Secondary, or Tertiary

Change the device used for connection setup to the AP used for Primary, Secondary, or Primary, then click "Retrieve Directory Information", then enter the ldapauth credentials under "Domain Admin Credentials to Join Domain", and Join.

Test by using Domain User Credentials Required for User Lookups

And then we have a Group Policy for our AD authenticated devices:

(#### Pound signs used to mask sensitive information)

Using Group Policy Management
Edited ENV DT Computer Settings C
ENV DT Computer Settings CData collected on: #/##/#### 2:19:17 PMhide allGeneral
Details
DomainAD.####.###.##.##OwnerAD\Domain AdminsCreated11/12/2014 7:52:20 AMModified6/18/2015 2:15:34 PMUser Revisions0 (AD), 0 (SYSVOL)Computer Revisions68 (AD), 68 (SYSVOL)Unique ID{########################}GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPathADNoEnabledAD.####.###.##.##ServersNoEnabledAD.####.###.##.##/Servers
This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:

NameAD\Domain Computers
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInheritedAD\Domain AdminsEdit settings, delete, modify securityNoAD\Domain ComputersRead (from Security Filtering)NoAD\Enterprise AdminsEdit settings, delete, modify securityNoNT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNoNT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Local Policies/Security Options
User Account Control
PolicySettingUser Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent for non-Windows binariesUser Account Control: Behavior of the elevation prompt for standard usersPrompt for credentialsUser Account Control: Switch to the secure desktop when prompting for elevationDisabled
System Services
Interactive Services Detection (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Wireless Network (802.11) Policies
CCPS-SSID-Policy
Policy Name####-SSID-PolicyPolicy Description####-SSID-PolicyPolicy TypeWindows Vista and Later Releases
Global Settings
Use Windows wireless LAN network services for clientsEnabledShared user credentials for network authenticationEnabledHosted networksEnabledAllow user to view denied networksDisabledAllow everyone to create all user profilesEnabledOnly use Group Policy profiles for allowed networksDisabled
Network Filters
Prevent connection to infrastructure networksDisabledPrevent connection to adhoc networksEnabledAllowed Networks
Network Name (SSID)Network Type####-SecureInfrastructure
Blocked Networks

Network Name (SSID)Network Type###-Guest-Open Infrastructure####-Other                 Infrastructure
Preferred Network Profiles
####-Secure
Profile Name####-SecureNetwork TypeInfrastructureAutomatically connect to this networkEnabledAutomatically switch to a more preferred networkEnabled  Network Name (SSID)Network Broadcasts its SSID####-SecureTrueSecurity Settings
AuthenticationWPA2EncryptionAESUse 802.1XEnabledPairwise Master Key (PMK) CachingEnabledPMK Time-to-Live (minutes)720Number of Entries in PMK Cache128Maximum Pre-authentication Failures3
IEEE 802.1X Settings
Computer AuthenticationComputer onlyMaximum Authentication Failures1Maximum EAPOL-Start Messages SentHeld Period (seconds)Start Period (seconds)Authentication Period (seconds)Network Authentication Method Properties
Authentication methodProtected EAP (PEAP)Validate server certificateEnabledConnect to these serversTrusted Root Certification AuthoritiesHiveManagerDo not prompt user to authorize new servers or trusted certification authoritiesDisabledEnable fast reconnectEnabledDisconnect if server does not present cryptobinding TLVDisabledEnforce network access protectionDisabledAuthentication Method Configuration
Authentication methodSecured password (EAP-MSCHAP v2)Automatically use my Windows logon name and password(and domain if any)Disabled

Public Key Policies/Trusted Root Certification Authorities
Certificates
Issued To        Issued By        Expiration Date                 Intended Purposes
HiveManager  HiveManager  1/6/2031     2:33:55 PM    <All>

For additional information about individual settings, launch the Local Group Policy Object Editor.