locked
NAP and Network Policy with multiple windows groups condition RRS feed

  • Question

  • Hi

    I'm using a 2008(not R2) with fortinet FW and Cisco switches to do 802.1x authentication, and I'm using VLAN Switching based on group membership (users and workstation)

    It works almost fine when I'm using only workstation group OR user groups, but I can't get it to work with both at the same time

    I have 2 workstation group : W1 and W2, 2 user group : U1 and U2

    when a computer is not in W1 or W2 => switch to guest vlan : OK

    when W1 starts up => switch to VLAN 10 : OK  (w2 => VLAN 20)

    when a user not in U1 or U2 => switch to vlan guest : OK

    when U1 logs on W1 stay in VLAN 10

    when U2 logs on W1 => switch to vlan guest

     

    What I got was I could do almost anything except the the switch when U1 logs on W2 or U2 logs on W1.

     

    my policies looks like this right now

    1 - VLAN ADMIN if Administrator

    2 - VLAN 10 if U1

    3 - VLAN 20 if U2

    4 - VLAN 10 if W1

    5 - VLAN 20 if W2

    6 - VLAN Guest if domain user

    7 - VLAN No Access if anything else

     

    So I would like to modify rules 2 and 3 to either say 'AND Workstation in W1' (or use a NOT and force the switch)

    When I use 2 conditions : one User groups and one Computer groups in the same rule (2 or 3), it is not validated and I am forced on rule 6 ; Guest vlan.

    (this is a 'simple' view of what I'm trying to do, but right now I'm down to these 6 rules and I'm trying to make it work before going full blown multi VLAN !!)

    is there a way to have more control over the condition (use OR, AND, NOT)?

    Am I trying to do something impossible? (maybe I need to upgrade to 2008 R2)

    Any help is welcome :)

     

    Best regards,

    Christophe Niel



    Tuesday, May 24, 2011 10:19 AM

Answers

  • Hi Dude

    Now i'm only making basic assumptions so the risk of being wrong is quite high here. Okay i believe in other words you are trying to peform both computer and user authentication in order to allocate a specific user and machine to a particular vlan... i dont think this is possible due to the authmode settings that windows client machines support.

    The authmodes support only either computer authentication or user authentication but never both, in which case once the user is in U1 or U2, thats it its not going to try and authenticate again to see which workstation group the computer belongs to, vice versa when the computer authenticates first.

     check out the link below there are some tables at the bottom of the article which explain auth mode and how it works:

    http://support.microsoft.com/kb/929847

    Hope this helps

    tech-nique ;)

    Wednesday, May 25, 2011 4:48 PM

All replies

  • Hi Dude

    Now i'm only making basic assumptions so the risk of being wrong is quite high here. Okay i believe in other words you are trying to peform both computer and user authentication in order to allocate a specific user and machine to a particular vlan... i dont think this is possible due to the authmode settings that windows client machines support.

    The authmodes support only either computer authentication or user authentication but never both, in which case once the user is in U1 or U2, thats it its not going to try and authenticate again to see which workstation group the computer belongs to, vice versa when the computer authenticates first.

     check out the link below there are some tables at the bottom of the article which explain auth mode and how it works:

    http://support.microsoft.com/kb/929847

    Hope this helps

    tech-nique ;)

    Wednesday, May 25, 2011 4:48 PM
  • Thanks

     

    that's pretty well explained. and what I feared, well, I don't really care, but now I can explain why it's not working and why the project manager should always consult technicians before selling something to the client :D

     

    best regards,

    Christophe

    Wednesday, June 1, 2011 12:11 PM