none
Network access only after logging on Domain.

    Question

  • My requirement is f the user does not login to the domain (on his desktop) then that desktop should not get the IP address from DHCP. This will force users to login to domain and not on standalone machines. Is it possible.

    Monday, February 21, 2011 1:53 PM

Answers

  • Hi

    You can look into 802.1x authentication using Network Policy Server in Windows Server 2008. You configure your switches as radius clients and also configure 802.1x on the switch ports and the NPS server as a radius server configure the relevant connection request and network access policies this way when a user logs onto the machine his/her credentials are passed on to the NPS server authenticated and then the user is allowed access to the network. When you create your policies you allow access to only those users in the domain using windows groups, this way if a user logs on using local account their authentication request will be denied and they will not be allowed access to the network.

    For EAP type i would suggest PEAP MS-CHAPV2 its much easier to deploy and setting up a Certificate Authority is optional, unless if you acknowledge the risk of rogue radius servers in your environment then certificates would be a good idea security wise.

    You can look into the following links and read on how you can set this up in your environment:

    http://technet.microsoft.com/en-us/library/dd378898(WS.10).aspx

    http://technet.microsoft.com/en-us/library/dd440996.aspx

    http://technet.microsoft.com/en-us/library/cc732912.aspx

    This is just start up material theres lots of info in the MS articles bout NPS and 802.1x authentication and it will all be in much more detail. If you are using IAS you can search for IAS 802.1X related info although NPS is much much easier to deploy and use  :)

     


    tech-nique
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Monday, February 21, 2011 6:55 PM
  • Hi Sachin_G,

     

    Thanks for posting here.

     

    Yes, tech-nique just provided a very good solution may help you to achieve your goal, please evaluate and see if it could be deployed in your environment.

    Meanwhile, you may also take look IPsec solution .

    with it, all network layer traffic will be encrypted , in this case computers with not domain member will not be applied the correct IPsec policies hence could not access all internal IPsec protected resources.

     

    For more information regarding this protection ,please refer to the articles below:

     

    Using IPsec for Network Protection: Part 1 of 2

    http://technet.microsoft.com/en-us/library/cc512617.aspx

     

    Using IPsec for Network Protection. Part 2 of 2

    http://technet.microsoft.com/en-us/library/cc512574.aspx

     

    Server and Domain Isolation

    http://technet.microsoft.com/en-us/network/bb545651.aspx

     

    IPsec

    http://technet.microsoft.com/en-us/network/bb531150.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Tuesday, February 22, 2011 5:08 AM
  • Hi,

    tech-nique and Tiger Li are suggesting other types of NAP enforcement method than DHCP because there is no user authentication with DHCP. This also doesn't occur with IPsec enforcement, but it is the most secure method overall.

    Strickly speaking, you do not need NAP to deny a computer an IP address if the user does not enter the correct domain credentials. This is pretty much the default behavior of 802.1X authentication. If you enter the wrong credentials, or none at all then line protocol on the connection is dropped. You can also configure specialized access for guests if you need this, such as access to a guest VLAN with limited services.

    DHCP NAP has the ability to enforce logins from only domain member computers, but anyone logging into this computer with either a local or a domain account will be given an IP address.

    -Greg

    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Tuesday, February 22, 2011 6:35 AM
    Owner
  • Hi

    I know tht for laptops as this is what i have done in my network, when configuring the EAP-MSCHAP v2 under PEAP properties i unticked "Automatically use my windows logon name and password (and domain if any) so when a laptop which is not joined on the domain tries to connect to the network or when a laptop user who is logging onto his/her local machine, they will be prompted to enter Username, Password and Domain.

    If the user does not have credentials in Active Directory but is supposed to connect to the network after logging on to their local machine, i created guest accounts solely for this purpose and it works just fine. One can argue that its a bit of a hasle for the user but thats the price we all pay for secure networks ;)

    I am not sure how it will be for servers and desktops but m sure the other guys will help out while i also research on this


    tech-nique
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Wednesday, February 23, 2011 1:10 PM
  • Hi Sachin_G ,

     

    Thanks for update.

     

    Your description is right, once client passed authentication , switch will open port and allow it to commutate with internal network so that client computer will acquire address form DHCP server:

     

     

    Meanwhile, I’d like to share an article which described this process in detail:

     

    http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Thursday, February 24, 2011 2:58 AM
  • Hi Sachin_G,

     

    Thanks for update.

     

    In this case , you should create VLANs for splitting computers.

    Configure NPS to inform switch to change the VLAN that port belonged base on the authentication status of connected computer. However switch must support dynamic VLAN assignment feature.

     

    Here is the articles discussed similar scenario like yours:

     

    802.1X Enforcement Example

    http://technet.microsoft.com/en-us/library/dd125336(WS.10).aspx

     

    For more information please refer to the links below:

     

    802.1x NAP Enforcement

    http://blogs.technet.com/b/nap/archive/2006/05/31/444128.aspx

     

    RADIUS Server for 802.1X Wireless or Wired Connections

    http://technet.microsoft.com/en-us/library/cc731853(WS.10).aspx

     

    NAP 802.1X Configuration Walkthrough – Part 1

    http://blogs.technet.com/b/nap/archive/2008/06/19/nap-802-1x-configuration-walkthrough.aspx

     

    Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

    http://blogs.technet.com/b/wincat/archive/2008/08/19/network-access-protection-using-802-1x-vlan-s-or-port-acls-which-is-right-for-you.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:01 PM
    Monday, February 28, 2011 2:53 AM

All replies

  • Hi

    You can look into 802.1x authentication using Network Policy Server in Windows Server 2008. You configure your switches as radius clients and also configure 802.1x on the switch ports and the NPS server as a radius server configure the relevant connection request and network access policies this way when a user logs onto the machine his/her credentials are passed on to the NPS server authenticated and then the user is allowed access to the network. When you create your policies you allow access to only those users in the domain using windows groups, this way if a user logs on using local account their authentication request will be denied and they will not be allowed access to the network.

    For EAP type i would suggest PEAP MS-CHAPV2 its much easier to deploy and setting up a Certificate Authority is optional, unless if you acknowledge the risk of rogue radius servers in your environment then certificates would be a good idea security wise.

    You can look into the following links and read on how you can set this up in your environment:

    http://technet.microsoft.com/en-us/library/dd378898(WS.10).aspx

    http://technet.microsoft.com/en-us/library/dd440996.aspx

    http://technet.microsoft.com/en-us/library/cc732912.aspx

    This is just start up material theres lots of info in the MS articles bout NPS and 802.1x authentication and it will all be in much more detail. If you are using IAS you can search for IAS 802.1X related info although NPS is much much easier to deploy and use  :)

     


    tech-nique
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Monday, February 21, 2011 6:55 PM
  • Hi Sachin_G,

     

    Thanks for posting here.

     

    Yes, tech-nique just provided a very good solution may help you to achieve your goal, please evaluate and see if it could be deployed in your environment.

    Meanwhile, you may also take look IPsec solution .

    with it, all network layer traffic will be encrypted , in this case computers with not domain member will not be applied the correct IPsec policies hence could not access all internal IPsec protected resources.

     

    For more information regarding this protection ,please refer to the articles below:

     

    Using IPsec for Network Protection: Part 1 of 2

    http://technet.microsoft.com/en-us/library/cc512617.aspx

     

    Using IPsec for Network Protection. Part 2 of 2

    http://technet.microsoft.com/en-us/library/cc512574.aspx

     

    Server and Domain Isolation

    http://technet.microsoft.com/en-us/network/bb545651.aspx

     

    IPsec

    http://technet.microsoft.com/en-us/network/bb531150.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Tuesday, February 22, 2011 5:08 AM
  • Hi,

    tech-nique and Tiger Li are suggesting other types of NAP enforcement method than DHCP because there is no user authentication with DHCP. This also doesn't occur with IPsec enforcement, but it is the most secure method overall.

    Strickly speaking, you do not need NAP to deny a computer an IP address if the user does not enter the correct domain credentials. This is pretty much the default behavior of 802.1X authentication. If you enter the wrong credentials, or none at all then line protocol on the connection is dropped. You can also configure specialized access for guests if you need this, such as access to a guest VLAN with limited services.

    DHCP NAP has the ability to enforce logins from only domain member computers, but anyone logging into this computer with either a local or a domain account will be given an IP address.

    -Greg

    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Tuesday, February 22, 2011 6:35 AM
    Owner
  • Hi Sachin_G,

    Please feel free to let us know if the information was helpful to you.

    Thanks,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, February 23, 2011 11:13 AM
  • Hi Tech-nique, Tiger Li, Greg,

    My understanding as of now, to achieve the same I need to take following steps (broader level):

    1. Configure 802.1x settings on Client computer.

    2. On Switch configure 802.1x ( Configure - AAA, define RADIUS server (NPS), define authentication method)

    3. Configure NPS server to work as RADIUS server.  (Use PEAP-MS-CHAPv2, Computer-or-user authentication method)

    Once the switch authenticate user from RADIUS (NPS) Server, it will allow the traffic from that switch port and thus only if user logs in to domain then only that machine will get DHCP IP address.....else traffic will be blocked at switch port level...

    Pls let me know, my understanding is correct...... will it work ???

    I am now checking out on how to configure NPS.....

    Only concern is....if it is required that some laptop/ desktop/ servers to logon locally....how I can allow them to get DHCP IP address.

     

    Wednesday, February 23, 2011 12:46 PM
  • Hi

    I know tht for laptops as this is what i have done in my network, when configuring the EAP-MSCHAP v2 under PEAP properties i unticked "Automatically use my windows logon name and password (and domain if any) so when a laptop which is not joined on the domain tries to connect to the network or when a laptop user who is logging onto his/her local machine, they will be prompted to enter Username, Password and Domain.

    If the user does not have credentials in Active Directory but is supposed to connect to the network after logging on to their local machine, i created guest accounts solely for this purpose and it works just fine. One can argue that its a bit of a hasle for the user but thats the price we all pay for secure networks ;)

    I am not sure how it will be for servers and desktops but m sure the other guys will help out while i also research on this


    tech-nique
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Wednesday, February 23, 2011 1:10 PM
  • Hi Sachin_G ,

     

    Thanks for update.

     

    Your description is right, once client passed authentication , switch will open port and allow it to commutate with internal network so that client computer will acquire address form DHCP server:

     

     

    Meanwhile, I’d like to share an article which described this process in detail:

     

    http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:02 PM
    Thursday, February 24, 2011 2:58 AM
  • Hi Sachin_G,

    If there is any update on this issue, please feel free to let us know.

    We are looking forward to your reply.

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Saturday, February 26, 2011 6:47 AM
  • Hi...

    Thanks for your inputs..

    Currently I am looking out for NPS configuration for my senarios (as RADIUS).

    Also looking out for how to deal with Laptops and Serves in My senatios which may not login to domain...howevere I need to allow them the access to the network...... For this what  I think is ...the port to which these servers and laptops are connected, we should not put those ports in 802.1x authentication..... Thus those ports will act as normail ports and traffic will flow without RADIUS authetication.

     

    Sunday, February 27, 2011 8:31 AM
  • Hi Sachin_G,

     

    Thanks for update.

     

    In this case , you should create VLANs for splitting computers.

    Configure NPS to inform switch to change the VLAN that port belonged base on the authentication status of connected computer. However switch must support dynamic VLAN assignment feature.

     

    Here is the articles discussed similar scenario like yours:

     

    802.1X Enforcement Example

    http://technet.microsoft.com/en-us/library/dd125336(WS.10).aspx

     

    For more information please refer to the links below:

     

    802.1x NAP Enforcement

    http://blogs.technet.com/b/nap/archive/2006/05/31/444128.aspx

     

    RADIUS Server for 802.1X Wireless or Wired Connections

    http://technet.microsoft.com/en-us/library/cc731853(WS.10).aspx

     

    NAP 802.1X Configuration Walkthrough – Part 1

    http://blogs.technet.com/b/nap/archive/2008/06/19/nap-802-1x-configuration-walkthrough.aspx

     

    Network Access Protection Using 802.1x VLAN’s or Port ACLs – Which is right for you?

    http://blogs.technet.com/b/wincat/archive/2008/08/19/network-access-protection-using-802-1x-vlan-s-or-port-acls-which-is-right-for-you.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Tiger Li Wednesday, March 02, 2011 12:01 PM
    Monday, February 28, 2011 2:53 AM
  • Hi Sachin_G,

    Please feel free to let us know if the information was helpful to you.

    Thanks,

    Tiger Li

    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, March 01, 2011 10:23 AM