Restricting users to AD domain computers

Bryce Mackintosh brycedrm at gmail.com
Thu Oct 11 13:55:13 CEST 2012 

On 11 October 2012 11:45, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 11/10/12 11:03, Bryce Mackintosh wrote:
>
>> Hi,
>>
>> I'm currently using FreeRadius to control access to our wifi network
>> with PEAP-TLS, and authenticating users against their AD accounts. I now
>> need to somehow additionally restrict the users wifi access to only the
>> machines that are joined to the Windows domain, and not phones, ipads,
>> etc, and do this in a reasonably secure fashion.
>>
>
> Can you be more specific here?
>
> Do you want to authenticate *first* the computer and *then* the user via
> 802.1x? If so, that could be tricky - Windows doesn't support >1 auth
> inside the PEAP tunnel.
>
>
In the ideal world it would be nice to authenticate both the machine and
the user, but it does seem you can only do one or the other. We've
considered filtering by MAC address, but that would be an admin headache,
plus they can be easily spoofed. Could also filter by hostname, but then
again that's easy to spoof.

Okay, ignoring how I currently have things setup, how would other people go
about controlling the users and devices on a wifi network by means of
802.1x, freeradius using AD for authentication and Win XP Pro SP3
clients. I'd have thought that this was a fairly common requirement in the
enterprise world, so I'm surprised there's not an obvious solution, or am I
missing something? At the moment it looks like we'll have to abandon 802.1x
and go back to WPA2-PSK.


>
>
>> There are a couple of hundred laptops involved, so I'd like to avoid
>> having to do much in the way of client-side configuration, but I suspect
>> that client certificates may be the only answer.
>>
>
> How do you think they may be "the answer"? IIRC you can't use client certs
> with PEAP in windows.
>

Doh! I'd forgotten that!


> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121011/d9759fd7/attachment-0001.html>

More information about the Freeradius-Users mailing list