Q

Microsoft RADIUS authentication

Read this Q&A to see how Microsoft RADIUS authentication works in Microsoft/Cisco PEAP 802.11 implementation.

In a Microsoft/Cisco PEAP 802.11 implementation it seems that the Microsoft RADIUS authentication is a fall-through process and uses both evaluated criteria:

  1. MS authentication and group membership of the user
  2. Domain membership of the machine, its group membership and a certificate
This seems to be an OR condition as evaluated by the RADIUS server so that an authenticated user can get on the network without the Cert and Machine being a domain member. There doesn't seem to be a way in Microsoft's RADIUS implementation to make Item 1 and item 2 a condition requiring both items rather than an OR condition requiring only the first of the two. This is a problem because we are trying to make sure that both the machine and user are known registered domain and group members. Am I missing something here?

I actually asked Microsoft on this and your interpretation is correct. When you do PEAP, it will simply return a RADIUS Accept or Reject based on if your account is valid. There is no way to set the Microsoft RADIUS to require that the machine has authenticated prior to the user authenticating (or that they are authenticating from a valid machine).

Their reply is below:

If you are using password-based authentication (EAP-PEAP), we do not have the ability to prevent users from using non-domain machines. For this protection, we must use certificates-based authentication (EAP-TLS or PEAP-EAP-TLS), and we also need to create a user or machine certificate template which does not allow the private key to be exported to other machines, and last, use AutoEnrollment to distribute the certificates to the end users and their machines.

The above really doesn't guarantee that the machine is authenticated; it is just saying that there is no way the user could authenticate with a certificate if the certificate can only be on the user's machine (i.e. non exportable).

This was first published in October 2006

Dig deeper on Wireless LAN Implementation

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close