Remote Access with Multiple Groups

I work in a hospital that has a Win2003 domain. We also have a wireless
network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access
server.

We have two groups of wireless workstations, one group of medical stations
and another of admin stations. We want medical personnel to be able to use
either medical or admin workstations but we want admin personnel to be able
to use only admin wireless workstations.

At first I set up mulitple groups. One group consisting of computers and
another of users. Then in the remote access policy I stipulated that to gain
access the connection had to come from the right computer group and right
user group. Sounds OK but it does not work. If I include a group that has
only computers in it the wireless connection always fails. No problem if I
only have groups with users.

How can associate a specific user group with specific computer group when
using remote access for wireless connections??

"Redleg6" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I work in a hospital that has a Win2003 domain. We also have a wireless
>network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access
>server.

Why IAS? Why not just have them as Domain Members and forget it?

> We have two groups of wireless workstations, one group of medical
> stations and another of admin stations. We want medical personnel to be
> able to use either medical or admin workstations but we want admin
> personnel to be able to use only admin wireless workstations.
>
> At first I set up mulitple groups. One group consisting of computers and
> another of users. Then in the remote access policy I stipulated that to
> gain access the connection had to come from the right computer group and
> right user group. Sounds OK but it does not work. If I include a group
> that has only computers in it the wireless connection always fails. No
> problem if I only have groups with users.

This really is not "remote access".
The wirless portion of the network is not a "different network". A WAP
does not create a "network",...it just replaces the physical "patch cables"
with a Radio Signal. It is effectively just a Switch without wires on the
Host side,...but is still wired on the "backbone" side.

1. Let the machines connect to the WAP using WPA with a Key,.....without an
kind of "user authentication.

2. The machines need to be Domain Members

3. In "Active Directory Users and Computers" go to the properties of each
"Administration Personnel" account involved in this and set a "list" of
machines they are allowed to connect from [Yes, it's a hassle],...you can't
do it with Groups. The users need to log into the machines with Domain
Level User Accounts,....not Local User Accounts. Active Directory will then
evaluate if the user is allowed to log in with that particular workstation.
Remove all local user accounts from these machines except for any that
really have to be there.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/l...chNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/l...chNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

We need IAS to handle the remote connections from the wireless workstations.


"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Redleg6" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I work in a hospital that has a Win2003 domain. We also have a wireless
>>network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access
>>server.
>
> Why IAS? Why not just have them as Domain Members and forget it?
>
>> We have two groups of wireless workstations, one group of medical
>> stations and another of admin stations. We want medical personnel to be
>> able to use either medical or admin workstations but we want admin
>> personnel to be able to use only admin wireless workstations.
>>
>> At first I set up mulitple groups. One group consisting of computers and
>> another of users. Then in the remote access policy I stipulated that to
>> gain access the connection had to come from the right computer group and
>> right user group. Sounds OK but it does not work. If I include a group
>> that has only computers in it the wireless connection always fails. No
>> problem if I only have groups with users.
>
> This really is not "remote access".
> The wirless portion of the network is not a "different network". A WAP
> does not create a "network",...it just replaces the physical "patch
> cables" with a Radio Signal. It is effectively just a Switch without
> wires on the Host side,...but is still wired on the "backbone" side.
>
> 1. Let the machines connect to the WAP using WPA with a Key,.....without
> an kind of "user authentication.
>
> 2. The machines need to be Domain Members
>
> 3. In "Active Directory Users and Computers" go to the properties of each
> "Administration Personnel" account involved in this and set a "list" of
> machines they are allowed to connect from [Yes, it's a hassle],...you
> can't do it with Groups. The users need to log into the machines with
> Domain Level User Accounts,....not Local User Accounts. Active Directory
> will then evaluate if the user is allowed to log in with that particular
> workstation. Remove all local user accounts from these machines except for
> any that really have to be there.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Technet Library
> ISA2004
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
> ISA2006
> http://technet.microsoft.com/en-us/l...chNet.10).aspx
>
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/p...s/default.mspx
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/e...epartners.mspx
> -----------------------------------------------------
>

"Redleg6" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We need IAS to handle the remote connections from the wireless
> workstations.

There is nothing remote here. The WAPs are connected to your local
LAN,..therefore any machine that uses them is local. The WAP serves the
same function as a LAN Switch but without the wires.

To control who can log into what machines as you describe you want to
do,...the machines need to be Domain Members and the users need to log in
with Domain Accounts. Those Domain Accounts need to have the list of
"approved" machines added to the Account Properties. Being "wired" -vs-
"wireless" is totally irrelevant to this aspect of what you are asking.

All the "security" on the WAP serves one purpose,...it protects the Radio
Signal,...that's it. Some high-end Wired Switches have a "comparable"
function with their Port Access Control (802.x? I forget..). But with the
wireless using WPA with a WPA Key, in my opinion, is perfectly
sufficient,...someone would have to drag me a long way kicking and screaming
over broken glass to get me to feel that there was any need for using IAS
with user authentication just to establish authorized contact with a "Radio
Signal" instead of just using WPA with an encryption Key.
I know some would disagree with me,..fine,..there always are,...but that is
my recommendation and I feel pretty strong about it.

I realize that medical facilities make heavy use of wireless due to the
convenience of mobility and not having to run cable (and then moving the
cables everytime something is remodeled or moved). But all the wireless
does is replace "wires" with a "radio signal", it is not creating a new
network, it is not a separate network, and it is not "remote".

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

I disagree with you. WPA with a static key is not sufficient security.
Enterprise level wireless with dynamic keying gives us the security we need.


"Phillip Windell" <(E-Mail Removed)> wrote in message
news:eJ%(E-Mail Removed)...
> "Redleg6" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> We need IAS to handle the remote connections from the wireless
>> workstations.
>
> There is nothing remote here. The WAPs are connected to your local
> LAN,..therefore any machine that uses them is local. The WAP serves the
> same function as a LAN Switch but without the wires.
>
> To control who can log into what machines as you describe you want to
> do,...the machines need to be Domain Members and the users need to log in
> with Domain Accounts. Those Domain Accounts need to have the list of
> "approved" machines added to the Account Properties. Being "wired" -vs-
> "wireless" is totally irrelevant to this aspect of what you are asking.
>
> All the "security" on the WAP serves one purpose,...it protects the Radio
> Signal,...that's it. Some high-end Wired Switches have a "comparable"
> function with their Port Access Control (802.x? I forget..). But with
> the wireless using WPA with a WPA Key, in my opinion, is perfectly
> sufficient,...someone would have to drag me a long way kicking and
> screaming over broken glass to get me to feel that there was any need for
> using IAS with user authentication just to establish authorized contact
> with a "Radio Signal" instead of just using WPA with an encryption Key.
> I know some would disagree with me,..fine,..there always are,...but that
> is my recommendation and I feel pretty strong about it.
>
> I realize that medical facilities make heavy use of wireless due to the
> convenience of mobility and not having to run cable (and then moving the
> cables everytime something is remodeled or moved). But all the wireless
> does is replace "wires" with a "radio signal", it is not creating a new
> network, it is not a separate network, and it is not "remote".
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

"Redleg6" <(E-Mail Removed)> wrote in message
news:u13UcV$(E-Mail Removed)...
>I disagree with you. WPA with a static key is not sufficient security.
> Enterprise level wireless with dynamic keying gives us the security we
> need.

In the end it doesn't matter here. Your question/goal really has nothing to
do with wired -vs- wireless or any wireless security techniques.

To control who can log into what machines as you describe you want to
do,...the machines need to be Domain Members and the users need to log in
with Domain Accounts. Those Domain Accounts need to have the list of
"approved" machines added to the Account Properties. Active Directory will
then
evaluate if the user is allowed to log in with that particular workstation.
Remove all local user accounts from these machines except for any that
really have to be there.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------