Computer Account Attribute for RAS policy Condition

Discussion:

(too old to reply)

Loren

2008-07-10 16:30:05 UTC

Hello -

I'm trying to authenticate wireless users by their computer account instead
of their user account. Is there a way to add a computer account group
attribute (just like the Windows-Group attribute) so that it is one of the
policy conditions? Does a computer account group attribute even exist?

Thanks in advanced!

James McIllece [MS]

2008-07-10 19:17:09 UTC

Permalink

Hi Loren --

All you need to do is create your groups in AD Users and Computers, and
then add the computers to the group; then when you create a remote access
policy you can configure it to grant or deny access to members of the group
you created. That's all there is to it.

James McIllece [MS]

Post by Loren
Hello -
I'm trying to authenticate wireless users by their computer account
instead of their user account. Is there a way to add a computer
account group attribute (just like the Windows-Group attribute) so
that it is one of the policy conditions? Does a computer account
group attribute even exist?
Thanks in advanced!

Loren

2008-07-11 16:29:54 UTC

Permalink

Hi James -

Thanks for your input, I appreciate it.

I did create a security group and added the computer accounts to the group
and unfortunately that doesn't seem to work for me. However, I did add the
relevant user accounts to the group as well and bingo that worked. Although
both user and computer accounts are in the group I'd like to only use the
computer accounts. Currently the policy conditions are set as follows:

NAS-Port Type matches "Wireless - IEEE 802.11 OR Wireless - Other" AND
Windows-Groups matches domain\Wireless Laptops.

I also tried taking the user accounts out of the group and removed the
NAS-Port policy condition out of the policy leaving just the Windows-Group
and that doesn't work as well.

Anyway, I'm sure I'm making this harder than it needs to be, perhaps there's
something obvious that I am missing?

Thanks again!

Post by James McIllece [MS]
Hi Loren --
All you need to do is create your groups in AD Users and Computers, and
then add the computers to the group; then when you create a remote access
policy you can configure it to grant or deny access to members of the group
you created. That's all there is to it.
James McIllece [MS]

S. Pidgorny <MVP>

2008-07-17 13:06:51 UTC

Permalink

If you only want to use computer authentication, you need to change the
AuthMode value on the clients - or any user logon will terminate computer
connection:

http://support.microsoft.com/kb/929847

(XP has registry value of the same name)

Also make sure you look in the system logs on IAS to see if connection
attempts from computers are there, and what's the result.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Loren
Hi James -
Thanks for your input, I appreciate it.
I did create a security group and added the computer accounts to the group
and unfortunately that doesn't seem to work for me. However, I did add
the relevant user accounts to the group as well and bingo that worked.
Although both user and computer accounts are in the group I'd like to only
use the computer accounts. Currently the policy conditions are set as
NAS-Port Type matches "Wireless - IEEE 802.11 OR Wireless - Other" AND
Windows-Groups matches domain\Wireless Laptops.
I also tried taking the user accounts out of the group and removed the
NAS-Port policy condition out of the policy leaving just the Windows-Group
and that doesn't work as well.
Anyway, I'm sure I'm making this harder than it needs to be, perhaps
there's something obvious that I am missing?
Thanks again!