Hello, I need some help with wireless security...
I am trying to design a strong security model for my company.
Proposed Wireless Network: WPA2 - AES encryption PEAP using MS-CHAP-V2 (no certs, except on IAS server)
802.1x authentication via a Windows Server 2003 IAS (against the AD) Using Cisco 4402 wireless switchesWithin IAS, I have created a policy that authenticates users and computers based on this phrase:
NAS-Port-Type matches "Wireless - Other OR Wireless - IEEE 802.11" AND Windows-Groups matches "domain\\Domain Users;domain\\Domain Computers"
Looking at the IAS log, the policy correctly rejects or denies Machines and Users whether they are a part of these groups or not. I'm hoping to authenticate the machine at boot up (which is working fine) but also authenticate the username AND machine name when the user logs in.
With these current settings, if a user logs in to any PC (even one from home) they fail the machine authentication but if they use their correct domain username and password, they are allowed on the wireless network. Ideally, I would like to see the IAS server check the username and machine at the same time during user authentication preventing this issue.
Can this be done???