IEEE 802.1x for Domain user accounts only

TheMSsForum.com: The Microsoft Software Forum

Hi all,

I've just started working with the 802.1x authentication and it's
brilliant.

The scenario I'm looking into implementing is to enable the 802.1x
authentication for specific domain accounts on a number of mobile
computers.

The laptop computers contain a number of accounts, some being domain
and local accounts. I'd like the 802.1x authentication to be enabled
only when the user logs into his domain account (which obviously will
be locally cached).

If the user logs into the local user account, 802.1x should be
disabled.

Can this be done using group policies or any other 3rd party tool ?

Any feedback/suggestions are highly appreciated.

Thank you.
Top

Re: IEEE 802.1x for Domain user accounts only by Shenan

Shenan
Mon May 21 14:40:10 CDT 2007

Chris P wrote:
> I've just started working with the 802.1x authentication and it's
> brilliant.
>
> The scenario I'm looking into implementing is to enable the 802.1x
> authentication for specific domain accounts on a number of mobile
> computers.
>
> The laptop computers contain a number of accounts, some being domain
> and local accounts. I'd like the 802.1x authentication to be enabled
> only when the user logs into his domain account (which obviously
> will be locally cached).
>
> If the user logs into the local user account, 802.1x should be
> disabled.
>
> Can this be done using group policies or any other 3rd party tool ?
>
> Any feedback/suggestions are highly appreciated.

For background on Chris' 'issues' - see this thread:
http://groups.google.com/group/microsoft.public.security/browse_thread/thread/1686b5fb33d797bd/c3edb2cd278764a8?lnk=st&q=&rnum=1#c3edb2cd278764a8

It looks like the hole is the same - just moved over a few feet.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


Top

Re: IEEE 802.1x for Domain user accounts only by S

S
Tue May 22 03:52:16 CDT 2007

Chris,

What you want to do is done via RADIUS policy. Microsoft IAS won't be able
to authorise local accounts, so only domain acounts can be used.

I trust we made it clear to you that you won't prevent using the local
account while connected to the corporate network.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Chris P" <chris@firewall.cx> wrote in message
news:1179772182.880176.121870@u36g2000prd.googlegroups.com...
> Hi all,
>
> I've just started working with the 802.1x authentication and it's
> brilliant.
>
> The scenario I'm looking into implementing is to enable the 802.1x
> authentication for specific domain accounts on a number of mobile
> computers.
>
> The laptop computers contain a number of accounts, some being domain
> and local accounts. I'd like the 802.1x authentication to be enabled
> only when the user logs into his domain account (which obviously will
> be locally cached).
>
> If the user logs into the local user account, 802.1x should be
> disabled.
>
> Can this be done using group policies or any other 3rd party tool ?
>
> Any feedback/suggestions are highly appreciated.
>
> Thank you.
>


Top

Re: IEEE 802.1x for Domain user accounts only by Chris

Chris
Tue May 22 05:30:02 CDT 2007

Pidgorny,

I've already setup a test Windows 2003 server (AD installed) with
Microsoft IAS to which my Cisco Catalyst switch talks to in order to
authenticate users connecting to its ports and it works fine.

As soon as I connect a Windows XP laptop, I'm asked for a user name
and password regardless if I've entered a local account (on the
laptop) or a cached domain account. By simply entering the user-name
and password set in the AD for that particular user, I can access the
network.

If I can 'disable' the 802.1x protocol authentication on the network
card, for all local accounts, I've solved my problem because when the
user logs into the local laptop account, he won't have 802.1x enabled
and therefore is unable to access the network.

Do you know if this can be done through group policy or third party
software ?

Thank you.

Top

Re: IEEE 802.1x for Domain user accounts only by S

S
Tue May 22 05:53:19 CDT 2007

G'day:

"Chris P" <chris@firewall.cx> wrote in message
news:1179829802.495545.80430@z28g2000prd.googlegroups.com...
> Pidgorny,

Either Slav or Mr. Pidgorny, please :)

> I've already setup a test Windows 2003 server (AD installed) with
> Microsoft IAS to which my Cisco Catalyst switch talks to in order to
> authenticate users connecting to its ports and it works fine.
>
> As soon as I connect a Windows XP laptop, I'm asked for a user name
> and password regardless if I've entered a local account (on the
> laptop) or a cached domain account. By simply entering the user-name
> and password set in the AD for that particular user, I can access the
> network.

Make sure "Automatically use my Windows logon name and password (and domain
if any)." is checcked in EAP MS-CHAP properties. That will avoid user name
and password prompt.

> If I can 'disable' the 802.1x protocol authentication on the network
> card, for all local accounts, I've solved my problem because when the
> user logs into the local laptop account, he won't have 802.1x enabled
> and therefore is unable to access the network.
>
> Do you know if this can be done through group policy or third party
> software ?

1. You canot set properties of a network connection on per-user basis.
2. Before Vista, you can only manage 802.1x for wired connections only with
GUI - no scriptable commands, registry settings or GPOs.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


Top