In a Microsoft/Cisco PEAP 802.11 implementation it seems that the Microsoft RADIUS authentication is a fall-through process and uses both evaluated criteria:
- MS authentication and group membership of the user
- Domain membership of the machine, its group membership and a certificate
I actually asked Microsoft on this and your interpretation is correct. When you do PEAP, it will simply return a RADIUS Accept or Reject based on if your account is valid. There is no way to set the Microsoft RADIUS to require that the machine has authenticated prior to the user authenticating (or that they are authenticating from a valid machine).
Their reply is below:
If you are using password-based authentication (EAP-PEAP), we do not have the ability to prevent users from using non-domain machines. For this protection, we must use certificates-based authentication (EAP-TLS or PEAP-EAP-TLS), and we also need to create a user or machine certificate template which does not allow the private key to be exported to other machines, and last, use AutoEnrollment to distribute the certificates to the end users and their machines.
The above really doesn't guarantee that the machine is authenticated; it is just saying that there is no way the user could authenticate with a certificate if the certificate can only be on the user's machine (i.e. non exportable).
Dig deeper on Wireless LAN Implementation
Related Q&A from Retired expert - Mike Puglia
Our expert, Mike Puglia, gives us a synopsis on WLAN APs and their rates compared to client data rates.continue reading
In this response, our WLAN expert, Mike Puglia, answers "How many wireless devices can connect to an 802.11b access point if the maximum capacity ...continue reading
In this Q&A, Mike Puglia explains how to link PKI and PMK infrastructures.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.