=?Utf-8?B?UkI=?= <(E-Mail Removed)> wrote in
news:16792973-1DF4-48A6-9437-(E-Mail Removed):
> I am trying to set up 'Port based authentication' via 802.1X with
> cisco 4500 switch and policies defined on IAS.
> I am not able to set "Remote Access Policy" to authenticate
> domain\user connecting from domain\computer only.
> when domain\computer is connected to LAN it should be member of VLAN1
> and when domain\user is logged on to domain it should be member of
> VLAN2.
>
> If I have 'RA Policy' which contains for example
> .. AND
> Windows-Groups matches "domain\domain users" AND
> Windows-Groups matches "domain\domain computers"
>
> this policy will be never applied. When computer starts it is
> authenticated only as member of "domain\domain computers" (is not
> member of "domain\domain users") and when domain\user logs on, user
> authentication runs only (is not member of "domain\domain computers").
>
> I want set this policy to disable connect with domain\user account on
> non-domain computer.
>
> any idea?
>
> thx
>
> RB
>
>
>
Hi there --
I queried the product team on this and received the following response:
"Unfortunately, this cannot be accomplished. The shortcoming however is
with the current authentication methods, not with IAS. There are no RADIUS
servers that provide quite this capability. As far as IAS is concerned, we
treat the below (remote access policy) statement as an OR rather than an
AND. When an authentication attempt is being passed to the RADIUS server
for validation, it can only be a user authentication OR a machine
authentication, it can ‘t be both at the same time.
Also, with IAS we do not keep any system state information, so we don’t
track whether a particular machine has authenticated prior to a user
attempt."
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
|
Similar Threads
Linear Mode
