802.1X and Guest

I currently carry out tests on 802.1x. I tested via peap and eap-tls.
However I would like to know how to make to authenticate computers which do
not belong to the field. For the moment the only solution that I found, it
is to give a login/password to the person while passing by peap and decochant
the box "to use login Windows...". But this solution annoys me because
because one cannot change the login. After I followed this article, but I do
not find it complete or I did not include/understand, especially with
dimensions radius
http://www.microsoft.com/technet/pro...4fb1014a4.mspx

Your solution depends on your exact need. I've had good luck with issuing
machine and user certs to machines that aren't members of the domain. As
long as the proper credentials are presented, the user or computer is
granted access.

is it always the same user logging in on the workgroup computers? Is the
real problem maybe that you have multiple users logging in via the same user
profile?

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Cyril" <(E-Mail Removed)> wrote in message
news:5862A2C1-CA66-44F5-AC2A-(E-Mail Removed)...
>I currently carry out tests on 802.1x. I tested via peap and eap-tls.
> However I would like to know how to make to authenticate computers which
> do
> not belong to the field. For the moment the only solution that I found,
> it
> is to give a login/password to the person while passing by peap and
> decochant
> the box "to use login Windows...". But this solution annoys me because
> because one cannot change the login. After I followed this article, but I
> do
> not find it complete or I did not include/understand, especially with
> dimensions radius.
> http://www.microsoft.com/technet/pro...4fb1014a4.mspx
>

Thank you for your answer.
However I do not understand the finality of your question. I can give very
well a different account for each counted invited, but I would have a great
number of account. However according to the article, the computer will not
send any identifier and thus the server radius to take the invited account
(?).
If not I found another solution, I work on a switch HP, and thus via the
VLAN and the mode Open VLAN, I can isolate not authenticated on a VLAN.
Thank you

"Mark Gamache" wrote:

> Your solution depends on your exact need. I've had good luck with issuing
> machine and user certs to machines that aren't members of the domain. As
> long as the proper credentials are presented, the user or computer is
> granted access.
>
> is it always the same user logging in on the workgroup computers? Is the
> real problem maybe that you have multiple users logging in via the same user
> profile?
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Cyril" <(E-Mail Removed)> wrote in message
> news:5862A2C1-CA66-44F5-AC2A-(E-Mail Removed)...
> >I currently carry out tests on 802.1x. I tested via peap and eap-tls.
> > However I would like to know how to make to authenticate computers which
> > do
> > not belong to the field. For the moment the only solution that I found,
> > it
> > is to give a login/password to the person while passing by peap and
> > decochant
> > the box "to use login Windows...". But this solution annoys me because
> > because one cannot change the login. After I followed this article, but I
> > do
> > not find it complete or I did not include/understand, especially with
> > dimensions radius.
> > http://www.microsoft.com/technet/pro...4fb1014a4.mspx
> >
>
>
>

I think you are asking about computer only authentication.
http://www.microsoft.com/technet/pro...4ed8e7492.mspx

You can alter the registry so that only the computer is authenticated and
the user stays on the network in the computers security context. You will
still need to get one computer certificate on each PC. You will have to get
the computer certificate in the context of a valid domain computer account.
I believe the easiest way is likely to be via the CA web interface.

I hope that helps.

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Cyril" <(E-Mail Removed)> wrote in message
news:7062BCD9-9AB6-4031-A886-(E-Mail Removed)...
> Thank you for your answer.
> However I do not understand the finality of your question. I can give
> very
> well a different account for each counted invited, but I would have a
> great
> number of account. However according to the article, the computer will
> not
> send any identifier and thus the server radius to take the invited account
> (?).
> If not I found another solution, I work on a switch HP, and thus via the
> VLAN and the mode Open VLAN, I can isolate not authenticated on a VLAN.
> Thank you
>
> "Mark Gamache" wrote:
>
>> Your solution depends on your exact need. I've had good luck with
>> issuing
>> machine and user certs to machines that aren't members of the domain. As
>> long as the proper credentials are presented, the user or computer is
>> granted access.
>>
>> is it always the same user logging in on the workgroup computers? Is the
>> real problem maybe that you have multiple users logging in via the same
>> user
>> profile?
>>
>> --
>> Mark Gamache
>> Certified Security Solutions
>> http://www.css-security.com
>>
>>
>>
>> "Cyril" <(E-Mail Removed)> wrote in message
>> news:5862A2C1-CA66-44F5-AC2A-(E-Mail Removed)...
>> >I currently carry out tests on 802.1x. I tested via peap and eap-tls.
>> > However I would like to know how to make to authenticate computers
>> > which
>> > do
>> > not belong to the field. For the moment the only solution that I
>> > found,
>> > it
>> > is to give a login/password to the person while passing by peap and
>> > decochant
>> > the box "to use login Windows...". But this solution annoys me because
>> > because one cannot change the login. After I followed this article,
>> > but I
>> > do
>> > not find it complete or I did not include/understand, especially with
>> > dimensions radius.
>> > http://www.microsoft.com/technet/pro...4fb1014a4.mspx
>> >
>>
>>
>>