I've searched high and low on this questions, and found several people asking the same question, but the trails always lead to dead ends. Can somebody help me out here. I have NPS running on Windows Server 2008 Standard. I have a root CA issuing user and machine certificates to Windows XP SP3 clients. I want to ensure that not only is an authorized *user* the only one connecting to my wireless access points, but also that the authorized user is most assuredly on an authorized *machine*.
I've tried setting NPS up a few different ways, and none of them accomplishes this.
1) Configure a Network Policy that requires group membership in a group that contains all of the users and comptuers. This results in the computer being authorized, all login scripts and policies being processed, and the user being successfully authenticated. That's nice, but it will also allow connection to the wireless access point if the user logs in with cached credentials on a machine that does *not* have a valid machine certificate
2) Configure a Network Policy that requres group membership in two seperate groups. One that has all of the computers, and one that has all of the users. This doesn't work at all, and just keep prompting for which certificate to use, presumably because after the user logs in it is trying to validate the user and machine groups using the user certificate.
3) Configured a Wireless access GPO that uses User Reauthentication as the Authmode and a single group that contains both users and computers. This behaves like scenario 1, letting the user authenticate to the WAP even if there is no valid machine cert.
4) Configured a Wireless access GPO that uses Computer Only as the Authmode. This one at least let me validate the machine while the user was logged in, but obviously doesn't check that the user has a valid certificate so it could be used with local account or any unauthorized user.
Does anybody know how to accomplish this?! It doesn't seem to much to ask that *both* the user *and* machine certificates are required all the time, but as it is, it seems I can only require a machine cert prior to login (which is fine), but then once a user is logged in I can only validate the user *or* machine certificates. After/during login I want to continue to ensure that the machine certificate is valid.
Any ideas?
I've tried setting NPS up a few different ways, and none of them accomplishes this.
1) Configure a Network Policy that requires group membership in a group that contains all of the users and comptuers. This results in the computer being authorized, all login scripts and policies being processed, and the user being successfully authenticated. That's nice, but it will also allow connection to the wireless access point if the user logs in with cached credentials on a machine that does *not* have a valid machine certificate
2) Configure a Network Policy that requres group membership in two seperate groups. One that has all of the computers, and one that has all of the users. This doesn't work at all, and just keep prompting for which certificate to use, presumably because after the user logs in it is trying to validate the user and machine groups using the user certificate.
3) Configured a Wireless access GPO that uses User Reauthentication as the Authmode and a single group that contains both users and computers. This behaves like scenario 1, letting the user authenticate to the WAP even if there is no valid machine cert.
4) Configured a Wireless access GPO that uses Computer Only as the Authmode. This one at least let me validate the machine while the user was logged in, but obviously doesn't check that the user has a valid certificate so it could be used with local account or any unauthorized user.
Does anybody know how to accomplish this?! It doesn't seem to much to ask that *both* the user *and* machine certificates are required all the time, but as it is, it seems I can only require a machine cert prior to login (which is fine), but then once a user is logged in I can only validate the user *or* machine certificates. After/during login I want to continue to ensure that the machine certificate is valid.
Any ideas?