7 Replies Latest reply on Sep 26, 2013 6:52 AM by nick Branched from an earlier discussion.

    Re: Android on vWLAN

    kennethfernandes Employee

      You could consider performing and enforcing computer/machine authentication before user authentication and if a device has not performed computer authentication before user authentication put it into a role with intermediate or perhaps just internet access. For example you could have 3 roles, Domain computer, Full Corporate Access, and Guest. A machine that belongs to the domain would successfully complete machine authentication before the user logs in and be placed in the Domain Computer role. Assuming your radius policy allows domain computers and the computer is configured to perform machine authentication and user authentication. The Domain Computer role would typically be tightened down to only allow the specific traffic to the domain controllers necessary to login, run login scripts, map printers, map drives, run group policy, etc. To get domain computers into the Domain Computer role configure mapping RADIUS-802.1X attributes under Radius-802.1X to say if USER-NAME starts with host then role is Domain Computer as machine authentication uses host/machine name (host/computer.domain) as the username and the computer’s domain machine account password as the password. The user now hits ctrl alt delete and logs in using their user credentials. You configure the Full Corporate Access role to enforce machine authentication with a prerequisite role of Domain Computer, a machine auth memory interval of at least 2 days, and a failed machine authentication role of Guest. This means that the user must have come from the Domain Computer role, successfully performed machine authentication, and be on a computer that belongs to the domain in order to get into the Full Corporate Access role. If the user has not come from the Domain Computer role, did not successfully perform machine authentication, and is not on a computer that belongs to the domain they are likely on an Android, iPhone, iPad etc and instead of getting put into the Full Corporate Access role, they will be put into the failed machine authentication role which could be setup with intermediate access, the Guest role in this example.

        • Re: Android on vWLAN
          redd77 New Member

          I'll give that a try and see what I can come up with.

           

          Thanks

            • Re: Android on vWLAN
              kennethfernandes Employee

              I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily as well as award points to the users that helped you.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

               

              Thanks,

               

               

              Ken

                • Re: Android on vWLAN
                  redd77 New Member

                  Sorry it has taken me so long to get back to this.  I have setup computer authentication using my external Radius server and that is working.  Thanks!  I have one more question.  Is it possible to assign a role in vWLAN to a computer that is part of a group?  For example if a computer authenticates using computer only and is in the HR-Computer group in AD I would like to assign it to the HR role in vWLAN.  I've tried using the memberOf attribute but that doesn't seem to be working.  Is this even possible?  I've looked through the list of Radius attributes and don't see one that would allow this.

                   

                  Thanks

                  Shawn

                    • Re: Android on vWLAN
                      kennethfernandes Employee

                      Typically you would have multiple policies in the RADIUS server and then assign a RADIUS attribute such as Filter-Id with a value identifying the users allowed in the policy. For example you could have 1 policy in RADIUS that says allow the students. You could assign the Filter-Id RADIUS attribute of students to that policy then in the vWLAN match if Filter-Id = student then role is student. You could then have another radius policy for teachers and so on with separate Filter-Id.

                • Re: Android on vWLAN
                  mbm2708 New Member

                  hi

                   

                  i am looking for to do machine authentication with external radius server

                  i know how to do user auth and machine

                   

                  how can i do only machine auth ?

                   

                  thank you

                   

                  matheus

                    • Re: Android on vWLAN
                      nick Employee

                      mbm2708

                       

                      You would need to have the vWLAN settings configured exactly the same as described above except you would need to change one setting.  Since you are wanting to use Machine authentication only, you would want to modify the Domain Computer Role to allow clients that get authenticated to this role to have access to other things besides the domain controller.  Once this is Role is edited appropriately, you would then need to edit the devices to send ONLY machine authentication and NOT their user credentials.  For Windows 7 machines, you would simply need to specify the Authentication mode (Properties of the SSID > Security Tab > Advanced Settings > 802.1x Settings > Computer Authentication:

                       

                      machineauth.jpg

                       

                      For Windows XP Machines, you will need to edit the registry keys provided the machines are running Service Pack 3.  The instructions to enable this can be found on Microsoft's Support Forums: How to enable computer-only authentication for an 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3.