2

Trying to configure RADIUS for a college network, and have run into the following frustration:

I can't set an "AND" condition for group membership of authenticated objects in the network policy rules, e.g. I'm trying to create a NPS rule that says, essentially "IF user is a member of [list of user groups] And is authenticating from a computer in [wireless computer group] then allow access.

This does not work

The screenshot above is the rule I am having trouble with. It does not work as written. The rule underneath it, which is identical in every aspect except the conditions rule, does work.

This does work

I've tried changing the non-working rule to define each set of groups as "Windows group" rather than specifically as machine and user groups, with no change.

With the "faulty" rule enabled and the working one disabled, any attempt to login with a valid account from a machine that is in the wireless computers group gives a 6273 audit event in the windows event log: Reason code 66 - "the user attempted to use an authentication method that is not enabled on the matching network policy". Disabling the "faulty" rule, enabling the other rule and logging in with the same account and computer works just fine.

Rob Moir
  • 31,664
  • 6
  • 58
  • 86

2 Answers2

3

Under conditions tab, rather then adding all groups into one condition rule, add a group to each rule/line. Basically add a user group, then click add do it again, where you'll have a list of "user groups" under condition column. When you add all groups into one condition line they default to OR.

Bret Fisher
  • 3,963
  • 2
  • 20
  • 25
  • Thanks Bret - I want several users groups in an "OR" statement together, and combine that with an "AND" - e.g. what I'm trying to say is "Allow users from any of the following groups AND who are using a computer in the following group" – Rob Moir Jun 06 '11 at 13:32
  • 1
    Your rules in the picture above do exactly what you just described. Are you trying to use NPS to allow computers on Wireless using 802.1x? If so you will have troubles trying to force computer AND user auth. I believe you'll need to choose one or the other. Windows will auth as computer when no user is logged in, and will auth as the user when someone is logged in... but not both at the same time. http://support.microsoft.com/kb/929847/en-us – Bret Fisher Jun 06 '11 at 14:55
  • You're absolutely right Bret. That is what we're trying to do and from that kbase article it won't work. How annoying. Thanks for your time! – Rob Moir Jun 06 '11 at 17:29
1

what you are describing sounds like bonded authentication. this means that a user can not succesfully authenticate via 802.1x unless they have a valid machine session first. If this is what you need to accomplish it is normally enforced on the WLC as oppossed to Radius in my experience.

keith
  • 11
  • 1