locked
Can NPS respect user account's restrictions? RRS feed

  • Question

  • We are using NPS as a radius server to authenticate wireless and wired conections.

    Some user accounts have restrictions for the logon process. We did that to restrict some user's accounts to log only a few machines on the network. The setup is done by the account's restriction "Log on to" where we specify only the machines the user may log.

    NPS is not using that list of machines and those accounts are being able to authenticate any machine in the network.

    Is there a way to setup NPS to respect the account's limitations for logon? I would prefer users not being able to log a machine also not being able to authenticate that machine.


    Gilsberty
    Monday, June 6, 2011 8:02 PM

Answers

  • Hi Gilsberty,

    NPS allows you to create network policies that have conditions such as "If this user and this computer." The way this would need to work is like an ACL, if you are familiar with how these are configured. There must be a deny at the end.

    For example, say you wanted to allow User123 access to the network if they were authenticating from ComputerABC or ComputerXYZ, but no other computer. You would need to create the three following network policies:

    Policy 1 Allow Access: Conditiion1: User123 Condition2: ComputerABC

    Policy 2 Allow Access: Condition1: User123 Condition2: ComputerXYZ

    Policy 3: Deny Access: Condition1: User123

    The way this works is that policies are processed from top to bottom until a match is found (until the conditions are met). As soon as a match is found, access is either allowed or denied depending on the policy setting. If User123 tried to authenticate from ComputerBCD this would fail to match policies 1 and 2, but would match policy 3 and access would be denied.

    In order to allow other users to access the network, you will need a policy at the bottom that does not have a specific user condition. Just be sure that this policy is not at the top or User123 would match it and be allowed access before they had a chance to be processed by the other rules. I hope this makes sense.

    -Greg

    Friday, June 17, 2011 5:35 AM

All replies

  • Hi Gilsberty,

    I don't think NPS will respect the configuration for user account's restriction. But you can write an extension dll for authentication to achieve the goal. You can check the user account's restrcition configuration in the extension dll and then make the decision whether the users can be authenticated or not. For more details about the extension, please have a look here: http://msdn.microsoft.com/en-us/library/bb891985(v=vs.85).aspx

    Regards

    Qunshu


    Clarification: Microsoft doesn't own any liability & responsibility for any of my posting.
    Monday, June 6, 2011 10:49 PM
  • Hello Qunshu.

    Thank you for the information.

    I read the topic about the extension DLLs. I believe this feature will not be able to implement the machine restriction because the machine being authenticated is not listed as an attribute received by the DLL (http://msdn.microsoft.com/en-us/library/bb892029(v=VS.85).aspx). I found only user attributes.

    I would prefer a NPS setup or native feature instead to write my own DLL.


    Gilsberty
    Tuesday, June 7, 2011 7:39 PM
  • Hi Gilsberty,

     

    Thanks for posting here.

     

    You may consider to set local security options “Access this computer from network” and “Deny log on locally” for these hosts and it should be more achievable by using NPS:

     

    Access this computer from the network

    http://technet.microsoft.com/en-us/library/cc740196(WS.10).aspx

     

    Deny log on locally

    http://technet.microsoft.com/en-us/library/cc728210(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, June 10, 2011 6:22 AM
  • Hi Tiger Li.


    Thanks for the information but both links are usefull in a different scenario.

    I dont need limit or deny access for the machines, I need to configure my NPS to limit a few users to be able to authorize just a specific set of machines.


    Let me explain: I have a few accounts able to log only a specific set of computers. For example: user account "Mark", he can log at machines: ifch1, ifch2 and ifch3. This is set using the "Log on to" account's property. For the logon restriction this is working perfectly. NOTE: machines ifch1, ifch2 and ifch3 must let all users log on locally (thats why the information sent by you is not usefull for this case).


    So "Mark" can log on locally only ifch1, ifch2 and ifch3 and this is working perfectly. What is not working? What is wrong?


    We need NPS respecting the "Log on to" restriction. That way the account "Mark" should be able to authorize only machines ifch1, ifch2 and ifch3. Right now I can authorize any machine using the account "Mark". NOTE: I have 100% of my network protected by 802.1x, so "Mark" must be able to authorize ifch1, ifch2 and ifch3 and this account should not be able to authorize any other machine.


    Is there a way to set NPS to do it?


    Gilsberty
    Friday, June 10, 2011 2:02 PM
  • Hi Gilsberty,

    NPS allows you to create network policies that have conditions such as "If this user and this computer." The way this would need to work is like an ACL, if you are familiar with how these are configured. There must be a deny at the end.

    For example, say you wanted to allow User123 access to the network if they were authenticating from ComputerABC or ComputerXYZ, but no other computer. You would need to create the three following network policies:

    Policy 1 Allow Access: Conditiion1: User123 Condition2: ComputerABC

    Policy 2 Allow Access: Condition1: User123 Condition2: ComputerXYZ

    Policy 3: Deny Access: Condition1: User123

    The way this works is that policies are processed from top to bottom until a match is found (until the conditions are met). As soon as a match is found, access is either allowed or denied depending on the policy setting. If User123 tried to authenticate from ComputerBCD this would fail to match policies 1 and 2, but would match policy 3 and access would be denied.

    In order to allow other users to access the network, you will need a policy at the bottom that does not have a specific user condition. Just be sure that this policy is not at the top or User123 would match it and be allowed access before they had a chance to be processed by the other rules. I hope this makes sense.

    -Greg

    Friday, June 17, 2011 5:35 AM
  • Greg.

     

    THANK YOU!

    So simple, so perfect, so nice!


    Gilsberty
    Friday, June 17, 2011 12:41 PM