Meraki

Community

Limit Wireless access to only Domain Computers - Enterprise auth with Windows NPS

Solved
JordanCNolan
Here to help
‎Jun 3 2021 8:06 AM
‎Jun 3 2021 8:06 AM

Limit Wireless access to only Domain Computers - Enterprise auth with Windows NPS

I have my SSID "Secured-Company" setup with Enterprise using my RADIUS server. I have NPS setup with the following:

 

  1. Connection Request Policy
    • NAS Port Type = Wireless - IEEE 802.11 OR Wireless Other
  2. Network Policy
    • NAS Port Type = Wireless - IEEE 802.11 OR Wireless Other
    • Windows Groups = Domain Computers OR Domain Users

I deployed a GPO to all my domain joined computers with the settings needed to connect to "Secured-Company".  When is at the logon, the computer is able to connect to the SSID and I can still remote manage it.  When the user logs in, they remain connected as long as it is a Domain account.  A local account causes the access to the SSID to be denied.

 

The issue is with the Network Policy condition "Windows Groups = Domain Computers OR Domain Users".  Someone can still bring in their home laptop and use their credentials to connect to my secured "Secured-Company" SSID.  Is there a way to configure this so ONLY Domain Users with Domain Joined computers can connect?

 

I tried to set the Network Policy to just "Windows Groups = Domain Computers", which allowed the computer to connect at boot up, but when the user logs in, they lose connection.

0 Kudos
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 3 2021 9:18 AM
‎Jun 3 2021 9:18 AM

How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.

View solution in original post

5 Replies 5
KarstenI
Kind of a big deal
Kind of a big deal
‎Jun 3 2021 9:18 AM
‎Jun 3 2021 9:18 AM

How did you configure the Supplicant through the GPO? It should be mode "Computer Authentication" to only authenticate the machine and not the user.

In response to KarstenI
JordanCNolan
Here to help
‎Jun 3 2021 11:24 AM
‎Jun 3 2021 11:24 AM

Excellent.  That worked.

0 Kudos
plee
New here
‎Oct 31 2023 1:16 PM
‎Oct 31 2023 1:16 PM

Hi would you mind sharing your configuration? I'd like to setup the same thing to allow employees to authenticate and connect to the wireless with their AD account but only from domain joined devices.

0 Kudos
In response to plee
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 31 2023 3:13 PM
‎Oct 31 2023 3:13 PM

This is a completely different thing and not possible with NPS. To reliably enforce that users can authenticate only from domain machines you need TEAP and NPS is not capable of that.

0 Kudos
In response to KarstenI
plee
New here
‎Nov 1 2023 4:33 AM
‎Nov 1 2023 4:33 AM

Thank you for the clarification. That has been my finding as well with NPS and I thought OP found the solution.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.