Hello,

I got a requirement to configure a RADIUS server to authenticate 2 HP wireless controllers. Finally  I have  setup the RADIUS server and applied network policy and connection request policy. Users are authenticated fine with RADIUS server but my entire requirement could not be achieved

My main requirement was, only domain users can connect to the wireless and IP's should be released only to Domain joined computer. Detailed requirement is given below, 

1. Authenticate authorize only domain users

2. Authenticate and authorize only domain joined computers

Is it possible to achieve both of these conditions? If can.. what is the procedure?

Dilshan

• Edited by Dilshan.Saminda Monday, September 22, 2014 1:52 PM

Hi Dilshan,

Maybe we can authenticate and authorize the domain users and domain joined computers by configuring conditions on the network policy.

To configure the conditions to a Network Policy, please follow the steps below.

1. In the NPS console, expand Policies, click Network Policies.

2. In the details pane, double-click the network policy to which you want to add a condition, and then click the Conditions tab.

3. Click Add, in the Select condition dialog box, double-click Windows Groups.

4. In the Windows Group dialog box, click Add Groups, click Advanced, click Find Now.

5. In the Search results, select Domain Users, click OK, click OK.

Then add Domain computers by using the same steps above. Click OK then.

Note: Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Best Regards,

Tina

• Marked as answer by Steven_Lee0510Microsoft contingent staff, Moderator Thursday, October 09, 2014 2:10 AM

I agree with Tina - you need to use Windows Groups and add both machine and user groups in one entry.

I would like to add that this is not really 'two-factor' authentication (as this questions has come here in these forums often). NPS does not check if there is an authentication by a machine account and then by a user account for each 'connection'. User and machine groups are OR connected (and AND connection could not work as a user or machine cannot be in both groups).

For example, if a client is configured for user authentication only that it would be sufficient to enter only user user credentials. By default, after startup first the machine try to authenticate and then the and user account.

I suppose this is not a problem for machine under your control as you configure the client's authentication behavior vie Group Policies. But it might be an issue with 'guest' devices.

Elke

• Marked as answer by Steven_Lee0510Microsoft contingent staff, Moderator Thursday, October 09, 2014 2:10 AM

I have almost the same issue.

I don't want the clients to enter their credentials to their smartphones/tablets and get access to the network. I want that they can only authenticate from the devices in the domain.

Am I understanding right and the only solution is machine authentication?

There is no way to authenticate first there machines AND later the user identity to get access?

You can have user authentication after machine authentication, but the combination of both is not enforced. You cannot be prevent somebody from logging on as a user only.