ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Unifi APs connect clients based on Machine account in AD

    Scheduled Pinned Locked Moved IT Discussion
    23 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User @Dashrender
      last edited by A Former User

      @Dashrender said:

      @thecreativeone91 said:

      @Dashrender said:

      The advantage to setting up WPA-Enterprise with machine accounts is that anyone with a machine that's joined to the domain can simply select the SSID in question and join, no username/password required. NPA authenticates them and they are in.

      No user/password is required with the NPS using user accounts It does SSO when you set it up properly.

      Against Windows Clients.

      Yes, so? If you are using NPS for Machine authentication is going to be windows clients too. you'll have to do a lot of manual config for anything else. If you use user it will just prompt for user/password, and make them accept the NPS's Cert.

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender
        last edited by

        If I want to connect your iPhone or my Windows Phone or Android phone - it won't be automatic, it will require me to type in a username/password.

        I'm not sure what you mean by make them accept the NPS's Cert?
        I'm assuming you're pushing out a self signed cert to your windows clients via GP, do your non windows clients have to have the NPS's cert in order to authenticate?

        ? 1 Reply Last reply Reply Quote 0
        • ?
          A Former User @Dashrender
          last edited by

          @Dashrender said:

          I'm assuming you're pushing out a self signed cert to your windows clients via GP, do your non windows clients have to have the NPS's cert in order to authenticate?

          If you're using user based you just need to install the Cert of the NPS on to the phone, iOS will prompt you to do this. Machine based you can't do it like that.

          1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender
            last edited by

            I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.

            For private devices, this isn't an issue as we don't allow personal devices on the network.

            coliverC 1 Reply Last reply Reply Quote 0
            • coliverC
              coliver @Dashrender
              last edited by

              @Dashrender said:

              I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.

              For private devices, this isn't an issue as we don't allow personal devices on the network.

              If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.

              ? 1 Reply Last reply Reply Quote 0
              • ?
                A Former User @coliver
                last edited by

                @coliver said:

                @Dashrender said:

                I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.

                For private devices, this isn't an issue as we don't allow personal devices on the network.

                If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.

                NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @A Former User
                  last edited by

                  @thecreativeone91 said:

                  @coliver said:

                  @Dashrender said:

                  I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.

                  For private devices, this isn't an issue as we don't allow personal devices on the network.

                  If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.

                  NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.

                  I don't understand - can you explain it another way?

                  What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.

                  ? scottalanmillerS 2 Replies Last reply Reply Quote 0
                  • ?
                    A Former User @Dashrender
                    last edited by

                    @Dashrender said:

                    @thecreativeone91 said:

                    @coliver said:

                    @Dashrender said:

                    I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.

                    For private devices, this isn't an issue as we don't allow personal devices on the network.

                    If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.

                    NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.

                    I don't understand - can you explain it another way?

                    What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.

                    He's talking about if you are using User Based Authentication.

                    1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender
                      last edited by

                      You're loosing me here.

                      @coliver said:

                      If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.

                      @thecreativeone91 said:

                      He's talking about if you are using User Based Authentication.

                      Are you saying that MS now supports WiFi association and logon during the logon process? This would be like the old VPN pre-authentication check box you could add with specific VPN clients if it's true - though there would need to be some sort of prompt to choose the correct SSID.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said:

                        @thecreativeone91 said:

                        @coliver said:

                        @Dashrender said:

                        I need the machines that I control to be attached to the WiFi pre-logon. This allows anyone with a domain account to log onto the machine.

                        For private devices, this isn't an issue as we don't allow personal devices on the network.

                        If I remember correctly NPS allows pre-authentication for domain devices and then "re-authenticates" when the user logs in.

                        NPS doesn't re-authenticate it. It's just it passes the credentials to the 802.1x authentication first to the NPS server, logs in then will to SSO to login on the computer, using the same credentials. NPS isn't involved in that part of the configuration, you enable it via a GPO.

                        I don't understand - can you explain it another way?

                        What coliver seems to be saying is that there is double authentication, but unless you're moving the client (laptop) to another VLAN based on the user who is logging in, I don't understand why you would authenticate the user after the machine has already authenticated.

                        He was having some major technical issues this morning following discussions and getting very confused. Might have been just making this stuff up to like he was on the other threads.

                        1 Reply Last reply Reply Quote 0
                        • 1
                        • 2
                        • 1 / 2
                        • First post
                          Last post