IAS for Wireless Authentication

Hi.
I have setup an IAS server for wireless authentication with these policies:

1) NAS-Port-Type matches "Wireless - Other OR Wireless - IEEE 802.11"
2) Windows-Group matches "domain\Domain Users;domain\Domain Computers"

using PEAP-MS-CHAP-V2

but i have 2 problems:

1 - a computer who is part of the domain but logged on with a local computer
account can still connect to the wireless network.
2 - a computer who is not on the domain can't connect even when providing
the right domain credentials (which also gives me the problem of trying to
connect a windows mobile device since it's not part of the domain)

can someone please tell me what am i doing wrong?

thank you

Syn,
When is authentication happening?
At Startup the computer will authenticate. It makes no difference who logs
on afterwards.
At Logon the user will authenticate. it makes no difference what the
computer is.
Anthony,
http://www.airdesk.com



"SynEngium" <> wrote in message
news82050D8-A871-4D81-8686-...
> Hi.
> I have setup an IAS server for wireless authentication with these
> policies:
>
> 1) NAS-Port-Type matches "Wireless - Other OR Wireless - IEEE 802.11"
> 2) Windows-Group matches "domain\Domain Users;domain\Domain Computers"
>
> using PEAP-MS-CHAP-V2
>
> but i have 2 problems:
>
> 1 - a computer who is part of the domain but logged on with a local
> computer
> account can still connect to the wireless network.
> 2 - a computer who is not on the domain can't connect even when providing
> the right domain credentials (which also gives me the problem of trying to
> connect a windows mobile device since it's not part of the domain)
>
> can someone please tell me what am i doing wrong?
>
> thank you
>

there 2 different scenarios:

1 - if a computer is out of the domain as soon as i try to connect to the
wireless network a username and password are requested. but when i put a
domain user account it doesn't login. and i've found out why. for some reason
the connection default to "computer authentication" and since the login i'm
using is a user and not a computer account, login fails. to be able to
connect, i have to create the wireless connection manually and disable
validate server certificate, since this is not a domain computer it doesn't
have any certificate, and i have to go into advanced options and select "user
or computer" or just simply "user" on the specify authentication mode option.
this way it works.

2 - now for domain computers, what happens is, since the "authentication
mode" option defaults to computer auth. , the computer can logon even before
the user logon which is fine but completely ignores the domain users policy
on IAS. if i had a specific group of users who i'd want to connect to the
wireless network, it would be ignored since the computer is a domain computer
and is already authenticated.

is this supposed to be like this?

thank you so much.



"Anthony [MVP]" wrote:

> Syn,
> When is authentication happening?
> At Startup the computer will authenticate. It makes no difference who logs
> on afterwards.
> At Logon the user will authenticate. it makes no difference what the
> computer is.
> Anthony,
> http://www.airdesk.com
>
>
>
> "SynEngium" <> wrote in message
> news82050D8-A871-4D81-8686-...
> > Hi.
> > I have setup an IAS server for wireless authentication with these
> > policies:
> >
> > 1) NAS-Port-Type matches "Wireless - Other OR Wireless - IEEE 802.11"
> > 2) Windows-Group matches "domain\Domain Users;domain\Domain Computers"
> >
> > using PEAP-MS-CHAP-V2
> >
> > but i have 2 problems:
> >
> > 1 - a computer who is part of the domain but logged on with a local
> > computer
> > account can still connect to the wireless network.
> > 2 - a computer who is not on the domain can't connect even when providing
> > the right domain credentials (which also gives me the problem of trying to
> > connect a windows mobile device since it's not part of the domain)
> >
> > can someone please tell me what am i doing wrong?
> >
> > thank you
> >