Re: SSID restriction
From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 11/19/04
- Next message: Sam Salhi [MSFT]: "Re: IAS server 2003 authenticationtion based on SQL"
- Previous message: Sam Salhi [MSFT]: "Re: Refreshing Encryption Keys with WPA"
- In reply to: Thomas K: "Re: SSID restriction"
- Next in thread: Thomas K: "Re: SSID restriction"
- Reply: Thomas K: "Re: SSID restriction"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 19 Nov 2004 01:48:08 -0800
Sorry, but I didn't quite understand what you're asking here, can you
elaborate?
--
=============================================
This posting is provided "AS IS" with no warranties, and confers no rights
Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
=============================================
"Thomas K" <thomas@kuborn.be> wrote in message
news:cnilj8$253$1@pop-news.nl.colt.net...
> Hello Sam,
>
> I think it would if the user cannot bypass it.
> What are the requirements for it?
>
> T
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
> news:eQ8eGVYzEHA.1188@tk2msftngp13.phx.gbl...
>> Well, you can have a group policy that will define that the user is to
>> connect to a specific SSID. Would this help?
>>
>>
>> --
>> =============================================
>> This posting is provided "AS IS" with no warranties, and confers no
> rights
>>
>> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using
> and
>> troubleshooting RADIUS using IAS"
>> This chat will help you resolve all of your RADIUS/IAS issues. You can
>> ask
>> about RADIUS, IAS, 802.1x, Active directory configuration and Certificate
>> services, related to IAS and RADIUS
>> Follow this link to join the chat
>>
> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
>> =============================================
>>
>> "Thomas K" <thomas@kuborn.be> wrote in message
>> news:cnhvbi$pg5$1@pop-news.nl.colt.net...
>> >I Know ...
>> >
>> > Could WZCSVC somehow be modified to not attempt to reauthenticate ?
>> >
>> > Cheers,
>> >
>> > T
>> >
>> > "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>> > news:%23v1oyoUzEHA.1652@TK2MSFTNGP11.phx.gbl...
>> >> Thanks for the explanation
>> >> Unfortunately, SSID is not something that is sent to the RADIUS
>> >> server
>> > (IAS
>> >> or otherwise) so there is no way to distinguish users based on the
>> >> SSID
>> >> they're trying to connect to
>> >>
>> >>
>> >> --
>> >> =============================================
>> >> This posting is provided "AS IS" with no warranties, and confers no
>> > rights
>> >>
>> >> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on
> "Using
>> > and
>> >> troubleshooting RADIUS using IAS"
>> >> This chat will help you resolve all of your RADIUS/IAS issues. You can
>> >> ask
>> >> about RADIUS, IAS, 802.1x, Active directory configuration and
> Certificate
>> >> services, related to IAS and RADIUS
>> >> Follow this link to join the chat
>> >>
>> >
> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
>> >> =============================================
>> >>
>> >> "Thomas K" <thomas@kuborn.be> wrote in message
>> >> news:419c55eb$0$31956$ba620e4c@news.skynet.be...
>> >> > Suppose user "userTK" is allowed access in SSID "ssidTK" only.
> Suppose
>> >> > I
>> >> > have an IAS access policy called "policyTK" that sends back the
> radius
>> >> > attribute "ssid=ssidTK"
>> >> > If I create a group called "groupTK" & make userTK a member of it,
> then
>> >> > when userTK tries to connect to ssidTK, IAS matches the request with
>> >> > the
>> >> > groupTK, links that the the policy policyTK & all works fine because
>> >> > the
>> >> > AP gets the radius attribute ssid=ssidTK which is what userTK
> requested
>> >> > ...
>> >> >
>> >> > If userTK then tries to connect to ssidBLAHBLAH, IAS will still
>> >> > match
>> >> > userTK to the groupTK & link that to the policyTK. So IAS will send
> an
>> >> > access/accept but userTK won't be allowed to associate because:
>> >> > - AP gets ssid=ssidTK from IAS
>> >> > - userTK requests ssidBLAHBLAH
>> >> >
>> >> > So AFAIK it would not work?
>> >> >
>> >> > What do you think?
>> >> >
>> >> > Cheers,
>> >> >
>> >> > T
>> >> >
>> >> >
>> >> >
>> >> > "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>> >> > news:ebbDC1RzEHA.3236@TK2MSFTNGP15.phx.gbl...
>> >> >>I guess the best approach in this case to create a little windows
>> >> >>group.
>> >> >>Join that user/Computer to that windows group and have the policy
>> > matched
>> >> >>based on that. If the user is in that group, he will match that
> policy
>> > and
>> >> >>the right SSID is sent back to the AP
>> >> >> If it doesn't match, IAS will continue trying to match other
> policies.
>> > If
>> >> >> it doesn't match any policy the user is rejected and therefore is
>> >> >> disconnected
>> >> >>
>> >> >> Would this address this issue?
>> >> >>
>> >> >>
>> >> >> --
>> >> >> =============================================
>> >> >> This posting is provided "AS IS" with no warranties, and confers
>> >> >> no
>> >> >> rights
>> >> >>
>> >> >> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on
>> > "Using
>> >> >> and troubleshooting RADIUS using IAS"
>> >> >> This chat will help you resolve all of your RADIUS/IAS issues. You
> can
>> >> >> ask about RADIUS, IAS, 802.1x, Active directory configuration and
>> >> >> Certificate services, related to IAS and RADIUS
>> >> >> Follow this link to join the chat
>> >> >>
>> >
> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
>> >> >> =============================================
>> >> >>
>> >> >> "Thomas K" <thomas@kuborn.be> wrote in message
>> >> >> news:419bacdc$0$31932$ba620e4c@news.skynet.be...
>> >> >>> Hello Sam,
>> >> >>>
>> >> >>> The client is authenticated successfully so IAS sends back an
> accept
>> >> >>> message. However, the AP denies access to the wireless client
>> >> >>> based
>> > on:
>> >> >>> - ssid requested by the wireless client
>> >> >>> - allowed ssid as provided by IAS based on matched access policy.
>> >> >>>
>> >> >>> What I want to do is enforce a mapping between computer/user &
>> > ssids...
>> >> >>>
>> >> >>> Rgds,
>> >> >>>
>> >> >>> T
>> >> >>>
>> >> >>> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
>> >> >>> news:Ouu4frMzEHA.3588@TK2MSFTNGP14.phx.gbl...
>> >> >>>> The way the client was designed, it will back off IF it gets a
>> >> >>>> positive Reject. If not it will continue to retry (because it
>> >> >>>> doesn't
>> >> >>>> know why it wouldn't authenticate, it would assume it roamed
>> >> >>>> away,
>> >> >>>> or
>> >> >>>> something like that)
>> >> >>>> To Fix your issue below, make sure that you define your policies
> in
>> >> >>>> a
>> >> >>>> way that it will issue a reject instead of a restriction
>> >> >>>>
>> >> >>>> Explaining your setup a little bit more might allow us to help
>> >> >>>> you
>> >> >>>> architect a better policy
>> >> >>>>
>> >> >>>> --
>> >> >>>> =============================================
>> >> >>>> This posting is provided "AS IS" with no warranties, and confers
> no
>> >> >>>> rights
>> >> >>>>
>> >> >>>> Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on
>> >> >>>> "Using and troubleshooting RADIUS using IAS"
>> >> >>>> This chat will help you resolve all of your RADIUS/IAS issues.
>> >> >>>> You
>> > can
>> >> >>>> ask about RADIUS, IAS, 802.1x, Active directory configuration and
>> >> >>>> Certificate services, related to IAS and RADIUS
>> >> >>>> Follow this link to join the chat
>> >> >>>>
>> >
> http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
>> >> >>>> =============================================
>> >> >>>>
>> >> >>>> "Thomas K" <thomas@kuborn.be> wrote in message
>> >> >>>> news:cnfvm5$8mm$1@pop-news.nl.colt.net...
>> >> >>>>> Dear all,
>> >> >>>>>
>> >> >>>>> I've implemented SSID restriction with IAS & Cisco Access
>> >> >>>>> Points.
> &
>> > it
>> >> >>>>> works
>> >> >>>>> just fine.
>> >> >>>>> However, I have a problem when the computer/user is not allowed
> to
>> >> >>>>> associate
>> >> >>>>> because the requested SSID is not listed in the Cisco av/pair
>> >> >>>>> "ssid=<ssid1>,<ssid2>, ..." that IAS tsends to the Cisco Access
>> > Point.
>> >> >>>>> It is
>> >> >>>>> just right that the computer/user is not allowed to associate in
>> > such
>> >> >>>>> a
>> >> >>>>> situation; however, what is not right is that the wireless
>> >> >>>>> computer/user
>> >> >>>>> keeps retrying for ever, consuming network bandwidth & IAS CPU
>> >> >>>>> processing
>> >> >>>>> (for TLS amongst others)...
>> >> >>>>>
>> >> >>>>> Anyone can help?
>> >> >>>>>
>> >> >>>>> Cheers,
>> >> >>>>>
>> >> >>>>> T
>> >> >>>>>
>> >> >>>>>
>> >> >>>>
>> >> >>>>
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Sam Salhi [MSFT]: "Re: IAS server 2003 authenticationtion based on SQL"
- Previous message: Sam Salhi [MSFT]: "Re: Refreshing Encryption Keys with WPA"
- In reply to: Thomas K: "Re: SSID restriction"
- Next in thread: Thomas K: "Re: SSID restriction"
- Reply: Thomas K: "Re: SSID restriction"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
