Unifi APs connect clients based on Machine account in AD
-
@Dashrender said:
Why? It's absolutely NO different than what you are doing today (assuming you're user PSK).
What company uses PSK? That's the least secure thing you can do.
-
@Dashrender said:
The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.
No user/password is required with the NPS using user accounts It does SSO when you set it up properly.
-
@thecreativeone91 said:
@Dashrender said:
Why? It's absolutely NO different than what you are doing today (assuming you're user PSK).
What company uses PSK? That's the least secure thing you can do.
I Guess I do the least secure thing you can do. But I don't give the password out. If I don't type it in, you don't get on my network.
Yes I'm trying to change that now with my new Unifi setup (which I realize has nothing to do with changing, it's just I'm choosing to change this now).
-
@thecreativeone91 said:
@Dashrender said:
The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.
No user/password is required with the NPS using user accounts It does SSO when you set it up properly.
Against Windows Clients.
-
@Dashrender said:
@thecreativeone91 said:
@Dashrender said:
The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.
No user/password is required with the NPS using user accounts It does SSO when you set it up properly.
Against Windows Clients.
Yes, so? If you are using NPS for Machine authentication is going to be windows clients too. you'll have to do a lot of manual config for anything else. If you use user it will just prompt for user/password, and make them accept the NPS's Cert.
-
If I want to connect your iPhone or my Windows Phone or Android phone - it won't be automatic, it will require me to type in a username/password.
I'm not sure what you mean by make them accept the NPS's Cert?
I'm assuming you're pushing out a self signed cert to your windows clients via GP, do your non windows clients have to have the NPS's cert in order to authenticate? -
@Dashrender said:
I'm assuming you're pushing out a self signed cert to your windows clients via GP, do your non windows clients have to have the NPS's cert in order to authenticate?
If you're using user based you just need to install the Cert of the NPS on to the phone, iOS will prompt you to do this. Machine based you can't do it like that.
-
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
-
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
-
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
-
@thecreativeone91 said:
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
I don't understand - can you explain it another way?
What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.
-
@Dashrender said:
@thecreativeone91 said:
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
I don't understand - can you explain it another way?
What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.
He's talking about if you are using User Based Authentication.
-
You're loosing me here.
@coliver said:
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
@thecreativeone91 said:
He's talking about if you are using User Based Authentication.
Are you saying that MS now supports WiFi association and logon during the logon process? This would be like the old VPN pre-authentication check box you could add with specific VPN clients if it's true - though there would need to be some sort of prompt to choose the correct SSID.
-
@Dashrender said:
@thecreativeone91 said:
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
I don't understand - can you explain it another way?
What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.
He was having some major technical issues this morning following discussions and getting very confused. Might have been just making this stuff up to like he was on the other threads.
