locked
authenticating clients in radius server wirelessly... RRS feed

  • Question

  • Hi Experts....

    I m facing a difficult situation in my company.....As a system admin..I want that when an employee having a laptop is connected using wired medium it should authenticate with the AD....and when he wants to connect over wifi then he should also be authenticated with AD....

    Is it possible to implement this....???

    Thank You...

    Thursday, May 22, 2014 7:26 PM

Answers

  • Yes - clients could use 802.1x to authenticate to AD either via Wireless LAN access points or via switches (given APs and switches support 802.1x).

    This page list is probably a good starting point with links to various resources for 802.1x wired and wireless networking:

    Wired and Wireless Networking with 802.1X Authentication

    In a nutshell, you need a Radius server (NPS in a Microsoft / AD environment and in this forum, I guess) and the APs and switches are configured as clients to this Radius servers.

    802.1x can use different authentication options, most common are EAP-TLS and PEAP-MS-CHAPv2. In both cases the NPS server has a server certificate, thus the authentication channel is protected. Clients authenticate either using certificates (you need a PKI to distribute those) or username (machine name) and password (PEAP).

    Client settings (such as: authenticate as a computer, user, or both) are distributed via group policies.

    At the Radius server policies are configured, that (e.g.) determine which groups of users or computers are allowed to use these networks. There could be different policies for wired and wireless LANs.

    Elke

    (Edit - clarification, just to be sure: I was assuming here... also because this is the network access protection forum... that logon to AD should be a requirement to connect to the network. Of course you could have an open or MAC-'protected' WLAN and unprotected switch ports and users would still need to logon to AD to access resources on the network.)





    • Proposed as answer by Steven_Lee0510 Tuesday, June 3, 2014 1:21 AM
    • Marked as answer by Steven_Lee0510 Tuesday, June 3, 2014 1:36 AM
    • Edited by Elke Stangl Saturday, July 26, 2014 3:45 PM ´Just noticed I wrote PEAP-TLS - actually PEAP-MS-CHAPv2 is the common variant.
    Thursday, May 22, 2014 9:47 PM