locked
IAS Server Computer Only Authentication RRS feed

  • Question

  • Although NAP may not be the right forum, I didn't see one for IAS so I figured this was the most closely related.
    Either way, here is the scenario.
    I am attempting to setup a wired 802.1x environment with PEAP TLS (being the most secure, correct me if I'm wrong).
    I have a Windows Server 2003 Enterprise which is a DC and GC.
    This same server is a Subordinate CA and has IAS installed on it.

    My Remote Access Policy #1 is as follows:
    Windows-Groups matches "DOMAIN\Domain Computers" AND
    NAS-Port-Type matches "Ethernet"
    Authentication is PEAP and Configured for Smart card or other Certificate

    The client computer (Windows XP SP2) settings under Local Area Connection, Authentication tab are :
    Enable IEEE 802.1x authentication for this network
    EAP Type: Protected EAP (PEAP)
    Authenticate as computer when computer information is available is checked off.

    The properties for PEAP are:
    Validate server certificate is selected
    Connect to these servers is selected and the name of the Sub CA is there
    Trusted Rot Certification Authorties, the Enterprise Root CA is selected
    Authentication Method is Smart Card or Other Certificate,

    The "Configure" options for Smart Card or Other Certificate are:
    Use a certificate on this computer, with Use simple certificate selection (Recommened) selected
    Validate server Certificate selected
    Connect to these servers selected with the name of the Sub CA
    and the Ent Root CA selected under Trusted Root Certification Authorities.

    It also has a valid computer certificate.

    If the client computer boots up, the IAS policy is successfully applied and the computer gets an IP and is allowed on the network, however if the network connection is lost (i.e. the network cable is unplugged and re-plugged in) then the computer attempts to connect using  "user credentials" however because there is no Certificate for the user (and I don't plan on issuing certificates to users unless that is the only resolution) I get a message saying "Windows was unable to find a cerficate to log you on to the network".

    I am looking to "force" the XP machine to only use the Computer Credentials/Certificate to validate against IAS. Is this possible?
    Monday, April 27, 2009 8:57 PM

Answers

  • I have successfully figured it all out.
    Again though, this is only for Windows XP SP2.
    In the registry go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
    then create 2 DWords:
    First one is AuthMode
    This has a value of 2
    Then create SupplicantMode
    This should have a value of 3

    Aaron, this should solve your problem.

    Now mikrowiz: your issue of wanting to force BOTH.
    AuthMode set to a value of 2 will force Machine ONLY authentication, i.e. User authentication will not be used.
    However looking at your post you could solve your problem at the IAS server by creating a policy that requires BOTH a valid computer account and user account. I can help you with that if you need it.

    Hope this helps I'll check back soon.

    • Marked as answer by JamminBreeze Thursday, May 28, 2009 4:31 AM
    Thursday, May 28, 2009 4:30 AM

All replies

  • Have you made any progress with this because I think it would lead toward a resolution of the problem I'm having as well? 

    I'm looking for the same sort of thing, or at least to force machine authentication *and* user authentication.  It seems both work independently.  Machine authentication works properly pre-login, but if a user logs in on an unauthorized computer, they can still authenticate with a valid user cert post login even if there is no valid machine cert.  I want to make sure the machine cert is *always* enforced, even if there is a valid user cert on the machine.   Unfortunately it seems every trail I follow regarding this ends with a dead end.  I'm not sure how a guy is supposed to certify that both the user *and* computer are valid entities on my wireless network.  Perhaps this is a limitation with IAS?  I don't want to only rely on soft user certs to verify entry to my wireless network since they seem to be easily moved to unauthorized computers.
    Friday, May 22, 2009 3:01 PM
  • I have also run into this problem I have deployed a Wireless LAN that in which i am using PEAP MS CHAP v2 to authenticate the computer pre-login. When a user logs in, those credentials are used instead. How do I force computer only authentication? I do not want non domain devices (iPhones, laptops, etc.) to be able to gain access to this WLAN. Thanks, Aaron
    Saturday, May 23, 2009 6:22 PM
  • I have successfully figured it all out.
    Again though, this is only for Windows XP SP2.
    In the registry go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
    then create 2 DWords:
    First one is AuthMode
    This has a value of 2
    Then create SupplicantMode
    This should have a value of 3

    Aaron, this should solve your problem.

    Now mikrowiz: your issue of wanting to force BOTH.
    AuthMode set to a value of 2 will force Machine ONLY authentication, i.e. User authentication will not be used.
    However looking at your post you could solve your problem at the IAS server by creating a policy that requires BOTH a valid computer account and user account. I can help you with that if you need it.

    Hope this helps I'll check back soon.

    • Marked as answer by JamminBreeze Thursday, May 28, 2009 4:31 AM
    Thursday, May 28, 2009 4:30 AM
  • Unfortunately, I've tried a policy that requres both user and computer and it doesn't seem to work.  That sure would seem to be the logically easy way to do it if it were supported, but I think it would require yet a different AuthMode that requires both user and computer certs post login.  If I use an IAS or NPS policy that requires both, then authentication fails because with the AuthMode at Computer Only, it tries to present the user certificate for authentication at login, but the authmode is expecting a computer certificate.

    The only headway I've made was with a blog post somewhere that said to enable the Dial-In permissions on the user's account, and then put the MAC of the computer in the calling station ID.  That works, but it is supposedly a regular expression that should be able to handle multiple values, but I couldn't get that to work and I have some users who need to be able to have permission to use wireless from multiple computers.  I did find I could get multiple MAC addresses in that field using ADSIEdit, but that is too messy and will get overwritten if the user is ever edited in ADUC.

    For now I'm using Computer Only authentication because this is the only thing that ensures that only my certifcated domain computers are the ones accessing the wireless, and at that point the users have to authenticate anyway.  The only hole left is that a domain user who I don't want to have access to wireless, or even a local user account would still have access.

    CBHS_Aaron - With regards to your question.  The only way I've found to make sure that nobody uses unauthorized devices is to use *Computer Only* authentication with machine certificates, not user certificates.  Using user certificates I was easily able to export a cert from the store of one machine to the store of another (even non-domain) and authenticate with that valid user certificate.  Granted it would take a user that is smarter than the average bear, but it works.

    Thursday, May 28, 2009 3:31 PM
  • Mikrowiz,
    A couple of questions.
    When you check the event log, assuming you are logging events, what information is being passed on the failure?
    It should dictate in the event log why the user/computer is being denied.
    Also in IAS, in your policy, click "edit profile" and go to the Advanced tab.
    under advanced click Add... and then look for/select Ignore-User-Dialin-Properties and set the Value to "true"
    Let me know how that goes and what the event log says.

    Monday, June 1, 2009 6:42 PM
  • Hello Jammin Breeze,

     

    I realize that this post is more than a year old, but I thought I would take a shot as I have the same need as mikrowiz and am yet to find a solution. I would like to find a way to enforce both machine and user authentication. We need user authentication to provide dynamic VLAN assignment, and machine authentication to keep user owned non-domain devices from manually entering the wireless network settings in to their client and being able to authenticate with their domain credentials.

     

    Tuesday, June 8, 2010 3:24 PM