| Author |
Denying non domain computers/ with valid user accout
|
|
| Gonzox77 2005-09-09, 2:49 am |
| Hi everyone
I am currenlty running 802.1x with PEAP, which is working great. all my
users and workstations connect with out any issue to the wireless network.
but i figured out that if i use my laptop that is not part of the domain,
and try to connect to the wireless i can by simply tell it not to use my
currently logged in account information and let me specify the log in
account information myself. at this point it lets me connect to the
wireless singal. Is there a way in the Radius policy or in windows to not
allow this? It there a way to only allow users to connect that are only
logged into a computer with a valid domain account?
Thanks for any help in advance.
Gonzox77
| |
| Ian Campbell 2005-09-09, 5:54 pm |
| Hi Gonzo,
Regretfully, I don't have an answer for you, but I will be watching here
very closely. I posted the same question last week, but have not received
any relevant responses as of yet. Hopefully we'll get some information soon.
Good luck,
Ian
"Gonzox77" <Lginet@sbcglobal.net> wrote in message
news:396b34ad5a7019b241069958aa5fd1a1@lo
calhost.talkaboutsoftware.com...
> Hi everyone
>
> I am currenlty running 802.1x with PEAP, which is working great. all my
> users and workstations connect with out any issue to the wireless network.
> but i figured out that if i use my laptop that is not part of the domain,
> and try to connect to the wireless i can by simply tell it not to use my
> currently logged in account information and let me specify the log in
> account information myself. at this point it lets me connect to the
> wireless singal. Is there a way in the Radius policy or in windows to not
> allow this? It there a way to only allow users to connect that are only
> logged into a computer with a valid domain account?
>
> Thanks for any help in advance.
>
> Gonzox77
>
| |
| Thomas K 2005-09-09, 5:54 pm |
| NO because the dot1x login process (PEAP) is not tied to the NT login
process.
But why do not you do the following:
- activate machine auth on all computers using AUTHMODE=2
- create a new group in AD, put all machines account in that group
- in IAS policy, match that group to grant access, else deny access
T
"Gonzox77" <Lginet@sbcglobal.net> wrote in message
news:396b34ad5a7019b241069958aa5fd1a1@lo
calhost.talkaboutsoftware.com...
> Hi everyone
>
> I am currenlty running 802.1x with PEAP, which is working great. all my
> users and workstations connect with out any issue to the wireless network.
> but i figured out that if i use my laptop that is not part of the domain,
> and try to connect to the wireless i can by simply tell it not to use my
> currently logged in account information and let me specify the log in
> account information myself. at this point it lets me connect to the
> wireless singal. Is there a way in the Radius policy or in windows to not
> allow this? It there a way to only allow users to connect that are only
> logged into a computer with a valid domain account?
>
> Thanks for any help in advance.
>
> Gonzox77
>
| |
| Gonzox77 2005-09-09, 5:54 pm |
| hi Thomas K
Thanks for your idea i am not sure what you mean by the first line
- activate machine auth on all computers using AUTHMODE=2
Is there a KB article you can post a link to or website
thanks
Luis
| |
| Eric J. 2005-09-12, 6:13 pm |
| Hi Luis,
the AUTHMODE is a DWORD you have to create in your registry.
Open Regedit and then go to:
HKEY_Local_Machine - SOFTWARE - Microsoft - EAPOL - Parameters
- General - Global
and Create a DWORD called "AuthMode" with the value of 2.
Then the client authenticates with machine cert only
greetz
Eric
| |
| Thomas K 2005-09-12, 6:13 pm |
| exactly
the client will do machine auth only (with cert if eap-tls or with machine
password if peap-mschapv2)
T
"Eric J." <bt_hirosaito@gmx.de> wrote in message
news:1126519006.008565.266780@g44g2000cwa.googlegroups.com...
> Hi Luis,
>
> the AUTHMODE is a DWORD you have to create in your registry.
>
> Open Regedit and then go to:
>
> HKEY_Local_Machine - SOFTWARE - Microsoft - EAPOL - Parameters
> - General - Global
> and Create a DWORD called "AuthMode" with the value of 2.
>
> Then the client authenticates with machine cert only
>
> greetz
> Eric
>
| |
| Gonzox77 2005-09-12, 6:13 pm |
| Thanks you guys this has helped me out a lot the reghack work great and i
can no longer log on using only a valid user account, the machine
authentication works great.
thanks again
Gonzox77
|
|
|
|