Cisco Aironet 2700 - Sending "Computer-Name" as "User-Name" to NPS server

I have some Cisco Aironet 2700's running autonomous. I am trying to authenticate both the computer account and user account against AD, before allowing a connection using a 2008 R2 NPS server acting as a RADIUS server.

The problem seems to be that the AP's are sending both the computer names and the usernames as to the NPS server as a username.

For example here's what I pulled from the NPS log:
A computer name:  <Fully-Qualifed-User-Name data_type="1">HHH.COM\PC-LAP$</Fully-Qualifed-User-Name>
And a username: <Fully-Qualifed-User-Name data_type="1">HHH.COM\SomeUser</Fully-Qualifed-User-Name>

Here's my NPS config:
NPS-Config.jpg

And the config file from one of my AP's
ConfigFile-EE.txt

I've also attached screenshots from the access point if that helps.

My plan is to have two policies, first the one shown above, and then a second one that only checks the machine group in case no user is logged in.

Any help is appreciated.

Thanks.
2700-EncryptMgr.jpg
2700-ServerMgr.jpg
2700-ServerMgr-Global.jpg
2700-SSIDMgr.jpg
2700-Wireless-Summary.jpg
tiinettechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
It won't work that way.

The machine can be configured to send the computer credentials only, or the user credentials only, or the computer credentials THEN the user credentials, but not the computer credentials AND the user credentials simultaneously.

To add to that, your policy condition requires all 3 conditions to be true or it won't be matched.  This means you're never going to get a match against that policy.

You would need two policies; one to authenticate computers and another policy to authenticate users, or use the same policy and set the "Windows Groups" condition (instead of machine and user groups) to be "Domain Computers" OR "Domain Users".

The key thing to remember is that each line-item in the condition is using the AND operator, while each variable on each line is an OR.
Craig BeckCommented:
I can't edit my first comment, but to clarify, your plan is correct.  One policy for user authentication and another below that for computer authentication if no user is logged in.
tiinettechAuthor Commented:
question though, setting a policy to  "Domain Computers" OR "Domain Users" would allow any device to connect as long as they had a valid domain username and password.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

tiinettechAuthor Commented:
Can I accomplish what I want in combination with certificates somehow?
Craig BeckCommented:
If you want this...
I am trying to authenticate both the computer account and user account against AD, before allowing a connection using a 2008 R2 NPS server acting as a RADIUS server.
...then no.

As I say, you have to do one or the other.  The reason for this is that Microsoft doesn't support something called EAP-Chaining, which would require the computer and the user to authenticate first before access is granted.  This means you have to live with simply authenticating the computer first and letting it get network access, then re-authenticating user the user account upon login.

There are pros and cons with this though.  Many argue that, if the computer is authenticated, why authenticate the user at the network level if AD is already doing that at the computer level.  Unless you're imposing extra network-level restrictions, such as putting users in different security-groups into different VLANs for example, there's not much point in doing network-level user auth.

What is your reason for wanting to do user auth?
tiinettechAuthor Commented:
I'm trying to impose a standard for all our locations worldwide. The two level authentication is more of a concern when we deploy to China. They've had their Wifi cracked before which makes me want to pump as much security into our Wifi security as I can.

But at the same time not making it complicated or cumbersome to maintain on the IT side or for the user to connect.
Craig BeckCommented:
I'd just go with computer authentication then.  EAP-TLS (not TTLS) is secure as long as you use your own internal CA to issue the NPS and computer certificates, and you enable the 'Validate server certificate' option.

The settings can be configured using GPO.

Configure your WLAN to use WPA2/AES.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.