Hello, I need some help with wireless security...
I am trying to design a strong security model for my company.
Proposed Wireless Network:
WPA2 - AES encryption
PEAP using MS-CHAP-V2 (no certs, except on IAS server)
802.1x authentication via a Windows Server 2003 IAS (against the AD)
Using Cisco 4402 wireless switches
Within IAS, I have created a policy that authenticates users and
computers based on this phrase:
NAS-Port-Type matches "Wireless - Other OR Wireless - IEEE 802.11" AND
Windows-Groups matches "domain\Domain Users;domain\Domain Computers"
Looking at the IAS log, the policy correctly rejects or denies
Machines and Users whether they are a part of these groups or not.
I'm hoping to authenticate the machine at boot up (which is working
fine) but also authenticate the username AND machine name when the
user logs in.
With these current settings, if a user logs in to any PC (even one
from home) they fail the machine authentication but if they use their
correct domain username and password, they are allowed on the wireless
network. Ideally, I would like to see the IAS server check the
username and machine at the same time during user authentication
preventing this issue.
Can this be done???
|
Similar Threads
Linear Mode
