Limit Wireless access to only Domain Computers - Enterprise auth with Windows NPS

SOLVED
JordanCNolan
Here to help

Limit Wireless access to only Domain Computers - Enterprise auth with Windows NPS

I have my SSID "Secured-Company" setup with Enterprise using my RADIUS server. I have NPS setup with the following:

 

  1. Connection Request Policy
    • NAS Port Type = Wireless - IEEE 802.11 OR Wireless Other
  2. Network Policy
    • NAS Port Type = Wireless - IEEE 802.11 OR Wireless Other
    • Windows Groups = Domain Computers OR Domain Users

I deployed a GPO to all my domain joined computers with the settings needed to connect to "Secured-Company".  When is at the logon, the computer is able to connect to the SSID and I can still remote manage it.  When the user logs in, they remain connected as long as it is a Domain account.  A local account causes the access to the SSID to be denied.

 

The issue is with the Network Policy condition "Windows Groups = Domain Computers OR Domain Users".  Someone can still bring in their home laptop and use their credentials to connect to my secured "Secured-Company" SSID.  Is there a way to configure this so ONLY Domain Users with Domain Joined computers can connect?

 

I tried to set the Network Policy to just "Windows Groups = Domain Computers", which allowed the computer to connect at boot up, but when the user logs in, they lose connection.

1 ACCEPTED SOLUTION

Accepted Solutions
KarstenI
Head in the Cloud

Re: Limit Wireless access to only Domain Computers - Enterprise auth with Windows NPS

How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.

View solution in original post

2 REPLIES 2
KarstenI
Head in the Cloud

Re: Limit Wireless access to only Domain Computers - Enterprise auth with Windows NPS

How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.

View solution in original post

JordanCNolan
Here to help

Re: Limit Wireless access to only Domain Computers - Enterprise auth with Windows NPS

Excellent.  That worked.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.