Re: PEAP (MSCHAPV2) - Confusion over User vs. Computer Authentication

"Kurt" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:176f01c54f59$7f79cea0$a401280a@xxxxxxx:

> Hi,
>
> We have set up a W2K IAS server which is able to
> authenticate WLAN clients via Cisco 1200 APs. So far this
> is working ok.
>
> I was asked to verify that both the machine AND the user
> are being authenticated. I did the following to see if I
> could verify this.
>
> Logged in from a laptop which is definitely an AD domain
> member with a known-good domain user acct. This worked
> fine.
>
> Logged in from another laptop which is NOT part of the AD
> domain, but with a valid user acct. which IS in the
> domain. This also worked fine. (not good)
>
> I may be confused on this, but I thought I had heard
> somewhere that you could configure IAS to ENFORCE the rule
> that the user had to not only have valid domain
> credentials, but also be logging in from a machine that is
> in the domain as well.
>
> Is this true? If so, what should me IAS remote access
> policy look like to enforce machine and user login?
>
> Thanks!
>

As Thomas says, it is not currently possible to chain authentication
(computer and user) at this point in time. It is possible that this might
be available with PEAP v2, but that is not clear yet.

If you deploy EAP-TLS without smart cards you can prevent non-domain member
computers from connecting. You just have to deploy your PKI in such a way
that the user cert that your CA issues goes only to machines that are
domain members. It probably would also be useful to deploy certs in such a
way that the private keys cannot be exported.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: 802.1x authentication for wireless issues w/ ISA 2004
    ... The do support WPA-EAP and the radius ... authenticate the computer and this is trying to authenticate the user and not ... If you can post perhaps 10 lines from the IAS log, ... represent my IAS server or the client laptops. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN 3005 to IAS authentication failure...
    ... Call it something like "VPN Users" or similar. ... install IAS using the Add/Remove Programs icon in Control Panel. ... we can now configure the PIX firewall as a RADIUS client. ... Any user that should be allowed to authenticate on a VPN connection will ...
    (comp.dcom.sys.cisco)
  • Re: EAP-TLS Radius problem
    ... In this circumstance you have two choices to allow IAS to authenticate and ... The IAS server in Domain 1 forwards connection requests to a remote ... connection requests to another IAS server that is a Domain 2 member. ... Policy to all domain members as well as the cert of the root CA into ...
    (microsoft.public.internet.radius)
  • Re: IAS server and access points
    ... I use PEAP and passwords to authenticate wireless clients. ... I get an occassional message on my IAS server that says "A RADIUS ...
    (microsoft.public.internet.radius)
  • RE: How do I install & set up RADIUS?
    ... IAS is a server enable you to ... you configure a user can log in via VPN and the authenticate ... The initila use of RADIUS has just been clarified for me. ... How do I install & set up RADIUS? ...
    (microsoft.public.windows.server.general)