In a Microsoft/Cisco PEAP 802.11 implementation it seems that the Microsoft RADIUS authentication is a fall-through process and uses both evaluated criteria:
- MS authentication and group membership of the user
- Domain membership of the machine, its group membership and a certificate
I actually asked Microsoft on this and your interpretation is correct. When you do PEAP, it will simply return a RADIUS Accept or Reject based on if your account is valid. There is no way to set the Microsoft RADIUS to require that the machine has authenticated prior to the user authenticating (or that they are authenticating from a valid machine).
Their reply is below:
If you are using password-based authentication (EAP-PEAP), we do not have the ability to prevent users from using non-domain machines. For this protection, we must use certificates-based authentication (EAP-TLS or PEAP-EAP-TLS), and we also need to create a user or machine certificate template which does not allow the private key to be exported to other machines, and last, use AutoEnrollment to distribute the certificates to the end users and their machines.
The above really doesn't guarantee that the machine is authenticated; it is just saying that there is no way the user could authenticate with a certificate if the certificate can only be on the user's machine (i.e. non exportable).
This was first published in October 2006