Discussions

WLAN using IAS

Tags:
+
0 Votes
Locked

WLAN using IAS

davix500
I posted this under questions but hoping forums is a better place for it.

Task:

I was asked to roll out a wireless solution that will only allow specified computers and/or users access to network.

Example: Laptop A is allowed on WLAN, Laptop B is not; Jill is allowed on WLAN but Bill is not. Jill can get on WLAN only on Laptop A, Bill cannot get onto WLAN on either Laptop A or B. (simple enough?)


Solution 1: (prefered)

After some research I like the solution offered by Microsoft; "Securing Wireless LANs with PEAP and Passwords". It uses IAS and certificate servers, certificate is assigned to IAS but not to individual machines and users. Simple easy to manage but not having issues with getting results I want (see Problem below).

Solution 2:(do able but I no likey...)

I am familiar with the other option; "Securing Wireless LANs with Certificate Services" but prefer the previous one. Have tested this and it works but individual computer and user cert's seem like overkill.


Problem:

Everything is working as expected using the first solution (sooo pretty...ooohhhh!) but I cannot lock out individual machines. Using the IAS access policies I setup a policy (listed 1st) to deny all computers in a particular security group. In the System Event Viewer I see the access denail entry when the laptop is sitting on the login prompt (the entry in the log is Event ID: 2, Access Denied....cool that is what I want). I then enter a username and password that has permission to login (i.e. Jill from above) and miraculously it logs in (Event ID: 1, Access Granted to user...blah, blah, blah).

I understand why this happens;"Microsoft Windows? XP authenticates both the user and the
computer independently. When computer first starts up, it uses its domain account and password to authenticate to the WLAN.....
"When a user logs on to the computer, the same authentication and authorization process is repeated, but this time with the user's name and password. The user?s session replaces the computer WLAN session; this means that the two are not active simultaneously. It also means that an unauthorized user cannot use an authorized computer to access the WLAN."


Question (finally):

Not the last line (....unauthorized user cannot use an authorized computer...), does anyone know how to stop an authorized user from using an unauthorized computer?
  • +
    0 Votes
    sirkozz

    Set up a MAC ACL on AP's denying access except for allowed MAC's.
    This way only those computers in the ACL will be able to associate with WLAN. And only on those machines will a user be to authenticate to access the network.

  • +
    0 Votes
    sirkozz

    Set up a MAC ACL on AP's denying access except for allowed MAC's.
    This way only those computers in the ACL will be able to associate with WLAN. And only on those machines will a user be to authenticate to access the network.