Restrict Non Domain devices (BYOD) from authenticating corporate SSID

  • 1
  • Question
  • Updated 1 year ago
  • Answered

I would like to ask advice on how to go about restricting non domain computers from accessing our corporate SSID.

I currently have 2 SSID's one "guest" and one "corporate". Guests are authenticated using Private PSKs. Corporate through RADIUS on a Windows NPS server.

If I want to stop my corporate users, using their domain accounts to login using personal devices how do I go about it?

I used "Client classification policy", it does the job for non windows devices. But, if for example a corporate user brings his Windows 8 Tablet he can use his domain account to login the corporate SSID.

We can use computer authentication on our NPS network policy to only allow only domain computers, but our security team wants to retain a kind of two factor authentication wherein a client must be a domain user and a domain computer.

Is there a way to do it on the Hive Management or what settings do I need to do on the NPS server?

Thank you in advance.

IT Admin
Photo of ITDS Admin

ITDS Admin

  • 11 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
If all of your corporate owned computers are joined to the domain, you can specify a condition in the rule(s) in NPS/IAS that requires both User Authentication AND that the computer be a member of a group of which only domain PCs are a member.

For example, on my IAS server I have configured one of my rules to require that any one authenticating against this rule be a member of "Tech Support" users AND "Domain Computers" which is the default group to which all domain joined computers are a member.

Doing this will still allow the wireless client to be authenticated using user authentication, but must also be authenticated from a domain joined computer.

Hope this helps
Photo of ITDS Admin

ITDS Admin

  • 11 Posts
  • 0 Reply Likes
Hi Brian,

I cant seem to find the option to change the operator to "AND" on WIndows 2008 R2 NPS Network Policy :(

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You can add the Windows Groups condition more than once which gives you AND semantics.
Photo of ITDS Admin

ITDS Admin

  • 11 Posts
  • 0 Reply Likes
Hi Nick,

I tried your earlier suggestion to greate a single group for both user and computer. Tested it and I was still able to login to a non domain computer as long as I enter my domain username and password.

For the Updated advise, is this what you mean by add the Windows Groups condition more than once?

I tested it and none of the clients are able to connect, domain or non domain computers.
Photo of ITDS Admin

ITDS Admin

  • 11 Posts
  • 0 Reply Likes
The client gets asked for domain credentials, when I enter a valid account I get a

"Windows was unable to connect to..."

I get the following NPS logs

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

Security ID: DOMAIN\computername
Account Name: host/
Account Domain: domain
Fully Qualified Account Name: DOMAIN\computername

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 40-18-B1-40-87-XX:wireless
Calling Station Identifier: 00-27-10-40-19-XX

NAS IPv4 Address: XXX.XXX.XXX.228
NAS IPv6 Address: -
NAS Identifier: AEROHIVE-AP1
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0

RADIUS Client:
Client Friendly Name: Wireless AEROHIVE-AP1
Client IP Address: XXX.XXX.XXX.228

Authentication Details:
Connection Request Policy Name: 802.11 AP
Network Policy Name: -
Authentication Provider: Windows
Authentication Server:
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 48
Reason: The connection request did not match any configured network policy.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Let me think about this...
Photo of ITDS Admin

ITDS Admin

  • 11 Posts
  • 0 Reply Likes
It only fails to match to configured policy if I add both user and computers on the network policy, if set just one, everything works. From the link

I guess there is no solution yet?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Think about it. If the condition that you are putting in is impossible to satisfy, it has to fail.

Only a single certificate or user name/password is passed in the EAP type here, be it for a user or computer, there is no binding between them - this mean that the condition you're configuring is impossible to satisfy and doesn't make sense anyway:

There is very much a solution to what you are trying to achieve, only permit access where it's a domain machine by having Domain Computers required as a single group.
Photo of ITDS Admin

ITDS Admin

  • 11 Posts
  • 0 Reply Likes
Really appreciate your patience Nick. If it was me I would leave it at that, but our security requires what they call two-factor checks.

With computer account as the condition we have solved the main problem of restricting non-domain computers access to the corporate wifi. But, the other problem now is not allowing a local account of a domain joined computer from having access to the corporate wifi network.


An outsider somehow gets hold of a domain laptop, and was able to login with a local account, our current wifi policy still allows the access since its a domain computer. How or what can I do with the wireless to have it ask an domain username and password first before it allows access to the corporate wireless network?

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
In which case you cannot do what you want to achieve as PEAP doesn't allow you to pass multiple credentials. It cannot be done today without writing your own EAP type implementation that you install on all clients and the RADIUS server(s).

The solution though in an environment that requires that level of security, I would have thought, is BitLocker backed by a TPM and a strong local password only administrators know and can use. At which point, the security risk has largely gone away. Am I missing something?

There are many other risks too if you don't perform full disk encryption that, in my opinion, vastly eclipse the wireless risk here.
Photo of Jay Bosh

Jay Bosh

  • 2 Posts
  • 0 Reply Likes
drives are unlock once log into, if a out side person hijack user account even if drive fully encripted the drive will send none encripted information to user.  only way encription will work is doing file by file encription decryton  all files stay lock untill used, now probem is talking to other computers device must be smart enouf to know what computers to talk to, then internet all this can be done was done over 15 years ago and busness went under how this is all done would have be harddisk hardware base, also the hardware would update drives dont support this encrition so they can read the drives.   or the harddrive can have built in more one parttion
one user files  one for os one for boot one for internet one for vpn 
kind encription depends on whats going on and locking the keys to computer hardware so no one can steel the keys 
right now all bitlooker keys uploaded to microsoft so they have keys for drive
but drive is unlock state when system boots any way
seagage sed harddrives supose to do encription but whats not found what is needed for these drives to even work
these drives do not encript when in raid, these drives are unlock when user logs on
again data be stolen 
untill encription is made to keep files lock untill used 
and lock keys to hardware so they cant be stolen encription is pointless  
unless drives is rip out the computer 
few people even understand how encrition works even seageat dont understand how there drives work 
the seagete harddrive requires tpm turn on, the parttion is efi 
and there is a version number must be at 
that drive bitlocker be turn on, and drive is not in raid.
saying all that data still be stolen once workstation is log in to internet 
drive is unlock and files are open 

seagate has made people think drives are encripted my data safe not so 
only when drive is off is information is safe as long as drive is power on log into 
data is not safe not encripted or is in unlock state 
in part this how domain contolers talks to workstation 
the drives are unlock so domains can read information 
as the infromation is not encrpted 

as far certifices microsoft has broken this yes it will work to point but 
unless domain ports left unencrpted domain cant work and wont work
it admazes me that two domain controles dont automaticy encript all data 
that domaines set encription but if u turn on encription and pc dose not update first pc will stop talking to domain
there is lot other things will stop working as well if not done right

in fack i cant even get ispec to work with out breaking the domain 
even if set to try to encrpit domain will fall but this has all started in last year 
as microsoft wanted more access to our server 
they found they could not get around this encriton so they made it all most impossable to set up 
yes some the best can set up but server should do this with out user input at all 
microsoft will do anything to scan your drive and upload all your securty settings but they fix it where this can be stop as well but microsoft refuess to release this information,  dnsprobe, dirtectaccess is just two ways microsoft montors what u do
termal server been install as well as ftp servers and http on all computers
if you dout look for the dll files 
also ask why microsoft backdateing all updates in last year 

i have found a way block microsoft but taken over year my life to find 
our domains not safe any pc gose on internet conneted to domain microsoft can get to domain throw workstaion 
why right encritpion we need need now 
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
While not a completely robust solution when you analyse it to the nth degree (as is often the case), you can achieve a degree of this "two factor" authentication without a lot of extra hardware and software (for Windows workstations that are members of the domain at least) by:

1. Using EAP-TLS (or PEAP-EAP-TLS) authentication using user (rather than machine) certificates
2. Generating certificates (usually using the auto-enrollment function) using a certificate template with the "Mark private key as exportable" option UNCHECKED

This is still authenticating the user, as to gain access to the private key from the Windows secure store requires the user to log in to the workstation with their domain credentials. As Nick says, TPM or smart card storage of the key is even better.

What you get versus username/password authentication (PEAP-EAP-MSCHAPV2) is that the user is unable to use those credentials on a non-domain workstation (as they can't export the private key) and they can't easily share credentials with others (as they obviously can with their username and password).

If somebody has stolen the laptop AND has the user's domain credentials, they could still connect. But of course you have the added control of being able to revoke the individual certificates if you need to.

This does require the user to log on at least once via a wired connection in order for the certificate enrollment to occur in the first place.
Photo of Jay Bosh

Jay Bosh

  • 2 Posts
  • 0 Reply Likes
tpm dose not work as u might think once u turn on pc drive is unlock any one can hijack your user account get information also microsoft uploads all these keys, wich in self puts computers at risk,   one option is seagate es sed harddrives throw depends on tpm and cant be in raid, data just about useless, but microsoft or any hacker can still send commands to powershell to gain access, or even remote cmd
probem become that microsoft is now useing ports 80 and 443 for remote access
probem that termal server was install on all computers is also a probem most u dont beleave me go registery under serives look for termal server, its part of remote desktop but become more dangous,  the domains are now being requre to use remote access to domain clients,  probem becomes microsoft and or hacker gets access to your workstation they get to your domain, there is unknow accounts inside the software for this to work, in fack if your worksation is updated, it is possable for that workstation to update the domain, i think u all can see why domains become so unstable, we can no longer control updates, turning updates off is well at best only turns off some updates others still go throw,  
the new virus was going around was built around microsoft backdoors, 
useing microsoft backdoors they able install the virus by useing powershell to install it all this is done by scrip,  microsoft must be force close back doors,  on 8 computers i had txt file each had list ip adyress of microsoft servers, txt file was still there but all information was removed off each and all computers, right now i trace over 40 microsoft servers used to use these back doors to get information
so if microsoft can get in so can any hacker, 
to pont domains have no busness being on internet throw microsoft just about requres them to be on the internet i must ask why when these should be the most proteked servers in busness, and microsoft useing odd ports all computers all them has ftp server and it cant be access by u done beleave, go system32 look for ftp click on it u find it is up and running but what port that u cant find. that microsoft would even install these programs and provent us from blocking them is huge probems, and must end