IAS Server
Ok.... Right now, here is what I have:
- One location
- One Win2003 SMB (does everything, DC, file server, etc.)
- Two access points
- One enterprise-class router
- Two classes of computers: Company-owned computers which I have endpoint security on, so I "trust" them
more and personal computers of employees which I obviously do not put endpoint security on and don't "trust" them as much but they need psuedo-LAN access.
What I would like to do is:
- Have IAS authenticate for BOTH types of computers (all users are in AD)
- Somehow differentiate between the two so, at the router/AP level, I can restrict the "external" network
from allowing LAN access EXCEPT the printers (since they need to print to work)
- I don't want to use a PSK in either of the two unless coupled with PEAP, too easy and it creates a bad
standard with the employees that they can just "give out" the code to the network
Hiccups:
- It doesn't appear IAS can differentiate in any way, shape or form, between SSIDs unless I used double
access points and identified each one by their Client-side IP, which is a waste of money and I can't do right now.
- If I just allow both groups in, what is to stop them from just authenticating against the "true" internal
network? Nothing... Which then they could do and they have access to everything.
- I can't find a way to use a PSK AND IAS authentication on my router/AP... that would solve it OR have
IAS send back a request if the computer isn't in the "RADIUS Group" for a PSK, which would stop them and I would never give it to them.
THANKS
November 16th, 2011 7:25am