Remove From My Forums

Radius NPS for external AD users

Question
0

Sign in to vote

hello,

I'm trying to configure Radius server on Windows 2008 r2 srv for 802.1x to autheniticate wired and wireless computer.

I have seen some documentations and it seems quite easy for users or computer member of Group of my AD domain.

For external users for instance guest or consultant that I haven't registerd on my AD and I don't want register because for example they need just internet connection for few hours, how can I manage. One of my goal is to put this users in a vLAN connect to internet.
thanks

Saturday, July 20, 2013 12:15 PM

Answers

0

Sign in to vote
Hi,

According your description, Base on my experience, maybe you can try the following workaround way.
In general the guest just stay our company in a short time and they usually want to keep their computer without any new NPS update, therefore, I suggest you can try to deploy the NPS with MAC address authorization and with the AD FGPP policy.
The AD FGGP support to define a different password policy to a specific user and global security groups, therefore you can define an approximate guest accessing internal network time range as the MAC authorization account password expired time, when the guest stay your organization over the password expired time, his device will block by the 802.1x authorization.

Some related articles:
Fine-Grained Password Policies
http://www.windows-active-directory.com/fine-grained-password-policies-active-directory.html

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

MAC Authentication + Windows Server 2008 R2 Radius server
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8130b430-9b65-4fda-90ea-71228e16abcf/mac-authentication-windows-server-2008-r2-radius-server

Third party organization related article:
How to Install and Configure Network Policy Server NPS
http://www.sysadmintutorials.com/tutorials/microsoft/windows-2008-r2/how-to-install-and-configure-network-policy-server-nps/

MAC Authentication Bypass Deployment Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

Hope this helps.

Alex Lv
- Marked as answer by Alex Lv Friday, July 26, 2013 2:26 AM
Tuesday, July 23, 2013 9:03 AM

All replies

0

Sign in to vote
Hi,

According your description, Base on my experience, maybe you can try the following workaround way.
In general the guest just stay our company in a short time and they usually want to keep their computer without any new NPS update, therefore, I suggest you can try to deploy the NPS with MAC address authorization and with the AD FGPP policy.
The AD FGGP support to define a different password policy to a specific user and global security groups, therefore you can define an approximate guest accessing internal network time range as the MAC authorization account password expired time, when the guest stay your organization over the password expired time, his device will block by the 802.1x authorization.

Some related articles:
Fine-Grained Password Policies
http://www.windows-active-directory.com/fine-grained-password-policies-active-directory.html

AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx

MAC Authentication + Windows Server 2008 R2 Radius server
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8130b430-9b65-4fda-90ea-71228e16abcf/mac-authentication-windows-server-2008-r2-radius-server

Third party organization related article:
How to Install and Configure Network Policy Server NPS
http://www.sysadmintutorials.com/tutorials/microsoft/windows-2008-r2/how-to-install-and-configure-network-policy-server-nps/

MAC Authentication Bypass Deployment Guide
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

Hope this helps.

Alex Lv
- Marked as answer by Alex Lv Friday, July 26, 2013 2:26 AM
Tuesday, July 23, 2013 9:03 AM
0

Sign in to vote

thank you for your help I'll check the documentation, I'll give you a feedback-

Wednesday, July 31, 2013 3:00 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Radius NPS for external AD users

Question

Answers

All replies