Unifi APs connect clients based on Machine account in AD
-
@thecreativeone91 said:
@MattSpeller said:
I'm really ignorant of how all this works, but isn't that not a great idea from a security standpoint? (you don't know if a legit user has the machine or not)
I usually do user, you can configure it to allow authentication against the wireless before sign in to windows so even a person who's never logged in before can login to the laptop over wireless. It's no more of a risk than a wired network I suppose unless the laptop gets stolen and taken just off the property and the get into the local computer admin account then yes, it would be a big risk. User allows them to log in from none domain devices though so each has risks.
-
@Dashrender said:
@thecreativeone91 said:
@Dashrender said:
An associate of mine has his current Aruba network setup to authenticate his users by their machine account in AD instead of user accounts. Can the same be done for Unifi APs?
The AP just connects to RADIUS. The machine account stuff has to do with how you configure NPS for the WPA2 Enterprise authentication. You need to generate machine certificates as well. and push the NPS cert out to clients via GP.
If you want to go as far as using Certs - you shouldn't have to.. my friend does not with his Aruba for example.
NPS requires the use of a a CA to issues Certs that's how it works. He might not know it but it does issue them.
-
@MattSpeller said:
I'm really ignorant of how all this works, but isn't that not a great idea from a security standpoint? (you don't know if a legit user has the machine or not)
Why? It's absolutely NO different than what you are doing today (assuming you're user PSK).
Today, you the Admin setup the PSK for the WiFi, then give the device to the user. Assuming that whomever has the laptop knows a windows account on your network, they can now log into the machine and have access to WiFi.
The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.
-
@thecreativeone91 said:
@thecreativeone91 said:
@MattSpeller said:
I'm really ignorant of how all this works, but isn't that not a great idea from a security standpoint? (you don't know if a legit user has the machine or not)
I usually do user, you can configure it to allow authentication against the wireless before sign in to windows so even a person who's never logged in before can login to the laptop over wireless. It's no more of a risk than a wired network I suppose unless the laptop gets stolen and taken just off the property and the get into the local computer admin account then yes, it would be a big risk. User allows them to log in from none domain devices though so each has risks.
Exactly - If you want to stop users from using their own personal devices on that SSID, you'd need to install Machine Certs and authenticate against both a machine cert and a Username/Password.
-
@Dashrender said:
Why? It's absolutely NO different than what you are doing today (assuming you're user PSK).
What company uses PSK? That's the least secure thing you can do.
-
@Dashrender said:
The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.
No user/password is required with the NPS using user accounts It does SSO when you set it up properly.
-
@thecreativeone91 said:
@Dashrender said:
Why? It's absolutely NO different than what you are doing today (assuming you're user PSK).
What company uses PSK? That's the least secure thing you can do.
I Guess I do the least secure thing you can do. But I don't give the password out. If I don't type it in, you don't get on my network.
Yes I'm trying to change that now with my new Unifi setup (which I realize has nothing to do with changing, it's just I'm choosing to change this now).
-
@thecreativeone91 said:
@Dashrender said:
The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.
No user/password is required with the NPS using user accounts It does SSO when you set it up properly.
Against Windows Clients.
-
@Dashrender said:
@thecreativeone91 said:
@Dashrender said:
The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.
No user/password is required with the NPS using user accounts It does SSO when you set it up properly.
Against Windows Clients.
Yes, so? If you are using NPS for Machine authentication is going to be windows clients too. you'll have to do a lot of manual config for anything else. If you use user it will just prompt for user/password, and make them accept the NPS's Cert.
-
If I want to connect your iPhone or my Windows Phone or Android phone - it won't be automatic, it will require me to type in a username/password.
I'm not sure what you mean by make them accept the NPS's Cert?
I'm assuming you're pushing out a self signed cert to your windows clients via GP, do your non windows clients have to have the NPS's cert in order to authenticate? -
@Dashrender said:
I'm assuming you're pushing out a self signed cert to your windows clients via GP, do your non windows clients have to have the NPS's cert in order to authenticate?
If you're using user based you just need to install the Cert of the NPS on to the phone, iOS will prompt you to do this. Machine based you can't do it like that.
-
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
-
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
-
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
-
@thecreativeone91 said:
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
I don't understand - can you explain it another way?
What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.
-
@Dashrender said:
@thecreativeone91 said:
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
I don't understand - can you explain it another way?
What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.
He's talking about if you are using User Based Authentication.
-
You're loosing me here.
@coliver said:
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
@thecreativeone91 said:
He's talking about if you are using User Based Authentication.
Are you saying that MS now supports WiFi association and logon during the logon process? This would be like the old VPN pre-authentication check box you could add with specific VPN clients if it's true - though there would need to be some sort of prompt to choose the correct SSID.
-
@Dashrender said:
@thecreativeone91 said:
@coliver said:
@Dashrender said:
I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.
For private devices, this isn't an issue as we don't allow personal devices on the network.
If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.
NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.
I don't understand - can you explain it another way?
What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.
He was having some major technical issues this morning following discussions and getting very confused. Might have been just making this stuff up to like he was on the other threads.