Hello folks,
another question slightly related to my other problem here: WPA2-EAP: get logged on user
I want to do machine and user authentication against a Windows NPS server.
I can only get one of them to work. Either I deploy machine certificates to all trusted devices and they can all logon to my network using this certificate. With this approach I can keep all BYOD device out.
Or I can use user authentication which has the benefit that I can put users into different networks, say SalesTeam and Engineering. This has the drawback that a user can use his credentials to log in from any device (IPhone & stuff) and get into the respective network.
I know, that aruba has some feature or hack that can do both. First step is to send a machine auth and if this succeeds the mac is stored in a “trusted cache”. When the user puts in his login credentials (windows logon screen), windows does a user auth. If this succeeds aruba checks if this user auth comes from a trusted mac and then puts the user in its respective vlan.
Is something posible with a) NPS alone (afaik not) or b) is there a way to build something similar on RouterOS. Maybe by using scripting and building my own little cache/dynamic firewall?
I don’t understand why microsoft hasn’t a build in way of doing this. Am I the only one who needs to verify that only trusted machines get on the net and that the users need to be further firewalled based on their usergroup? Or am I doing something completly wrong?
Regards,
Christian