Microsoft RADIUS authentication

In a Microsoft/Cisco PEAP 802.11 implementation it seems that the Microsoft RADIUS authentication is a fall-through process and uses both evaluated criteria:

  1. MS authentication and group membership of the user
  2. Domain membership of the machine, its group membership and a certificate
This seems to be an OR condition as evaluated by the RADIUS server so that an authenticated user can get on the network without the Cert and Machine being a domain member. There doesn't seem to be a way in Microsoft's RADIUS implementation to make Item 1 and item 2 a condition requiring both items rather than an OR condition requiring only the first of the two. This is a problem because we are trying to make sure that both the machine and user are known registered domain and group members. Am I missing something here?

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchNetworking.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchNetworking.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I actually asked Microsoft on this and your interpretation is correct. When you do PEAP, it will simply return a RADIUS Accept or Reject based on if your account is valid. There is no way to set the Microsoft RADIUS to require that the machine has authenticated prior to the user authenticating (or that they are authenticating from a valid machine).

Their reply is below:

If you are using password-based authentication (EAP-PEAP), we do not have the ability to prevent users from using non-domain machines. For this protection, we must use certificates-based authentication (EAP-TLS or PEAP-EAP-TLS), and we also need to create a user or machine certificate template which does not allow the private key to be exported to other machines, and last, use AutoEnrollment to distribute the certificates to the end users and their machines.

The above really doesn't guarantee that the machine is authenticated; it is just saying that there is no way the user could authenticate with a certificate if the certificate can only be on the user's machine (i.e. non exportable).

This was first published in October 2006

Back to top