locked
NPS Computer and User Authentication RRS feed

  • Question

  • In our setup we would like to authenticate laptops and users separately.  So if the laptop belongs to a particular AD group and the user belongs to a particular AD group then they are allowed to join the hidden WiFi network.

    In our current setup this kind of works.  We have a group policy that supplies the laptops with the required certificate if they belong to the right AD Group.  Then in NPS we have it do user authentication based on the User Group in AD.  This does work with one problem, the logon script fails to run 100% of the time.

    If we switch modes and use computer authentication, and base it on the Machine group, then the logon script works 100% of the time, however even local users to the laptop have access to the WiFi network, something we do not want.

    We have the group policy set to wait for network, we have a dial-up delay set and the scripts are set to run async.  Still no luck. 

    1) Any thoughts on how to get the logon scripts to run?  or

    2) setup NPS to do computer auth first, then user auth second?

    Wednesday, March 25, 2015 5:15 PM

Answers

All replies

  • Hi,

    If you use 802.1x wireless infrastructure, you may use GP to define “User or Computer authentication”. If computer authentication is successful, a subsequent user logon results in a re-authentication with user credentials.
    Detailed setting steps you may reference:
    Creating a secure 802.1x wireless infrastructure using Microsoft Windows
    http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

    Besides, by SSO(single sign-on) we may do user authentication after the user has logged on.
    Detailed information you may reference:
    https://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx

    Best Regards,
    Eve Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Daniel Kaliel Thursday, April 16, 2015 9:24 PM
    Thursday, March 26, 2015 3:20 AM
  • I've read that article and tried that. But it doesn't work how we want it to.  On user authentication I want to deny if they are not in a particular AD group. But it appear the only user reauthentication is simply a valid AD account.  So for example, if I setup as based in the article you posted and I place the machine in a valid AD group.  If I log into the laptop with a local user account I am still able to gain access to the wireless network because then machine authenticated.   
    Thursday, March 26, 2015 4:17 PM
  • Hi,

    Then you may consider of my suggestion about SSO.
             
    Best Regards,
    Eve Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, March 27, 2015 9:16 AM