windowswindows2008

Working"DERIVATIONROLE"forDOMAINandPERSONALworkstationwithoutCPPMJan14-TutorialGoals:-SeparatingDOMAINandPERSONALWORKSTATION-DerivedroleforDOMAINusergroup/division-DerivedroleforPERSONALusergroup/divisionThisguideisforthosewhowanttoseparateDOMAINandPERSONALworkstationintheirnetworkwithoutClearPass.
Althoughtheresultisalmostthesame,butit'snotabullet-proofconfiguration.
Inmostcase,separationofDOMAINandPERSONALcanbeachievedbyusing"EnforceMachineAuthentication"in802.
1XAuthconfig.
OnDOMAINworkstationthatpassedbothmachineanduserauthentication,itcanhavederivedroleasstatedonServerGroup,butnotforPERSONALworkstationwhichonlyusing"userauthentication".
Forthissetup,Iamusing:-NPS(Windows2008)-ArubaController3600OS6.
3.
0.
2-AP105-1DomainLaptop-1PersonalLaptopSettingupController:-Basicsetup-RadiusforDomain-RadiusforPERSONAL-SERVERGROUPWhenyouconfigurewindowsEAP-MSCHAP2wirelesspropertywith"Automaticallyusewindowslogon",itwillloginusingformat:DOMAIN\USERNAME.
Inthiscase,myDOMAINisMITRA.
-AAAProfile(Basicconfigfor802.
1X)-802.
1XProfile(pleaseignorethename)-APGROUP,SSID(Basicconfigfor802.
1X)SettingupNPSPolicy:-Basicsetup-PolicyforDOMAIN-IT-PolicyforPERSONAL-IT-Don'tforgettocreateuseraccountoncontrollerthathasexactmatchwiththevalueoffilter-idoneachNPSPolicy.
-Createasmanypoliciesasyouneed,refertoyourownCompany'susergroup.
SettingupDOMAINworkstation:-ConnecttotheSSID-Bydefault,windowswilluseyourLOGINcredentialtoconnect.
OradmincanpushtheconfigfromGroupPolicy-Userconnectedtothenetworkwithdomain-role-Eventviewerlog(copied)NetworkPolicyServergrantedfullaccesstoauserbecausethehostmetthedefinedhealthpolicy.
User:SecurityID:MITRASOLUSI\yopianus.
lingaAccountName:MITRASOLUSI\yopianus.
lingaAccountDomain:MITRASOLUSIFullyQualifiedAccountName:mitrasolusi.
co.
vu/Users/YopianusLingaClientMachine:SecurityID:NULLSIDAccountName:-FullyQualifiedAccountName:-OS-Version:-CalledStationIdentifier:CallingStationIdentifier:NAS:NASIPv4Address:172.
16.
0.
254NASIPv6Address:-NASIdentifier:10NASPort-Type:Wireless-IEEE802.
11NASPort:0RADIUSClient:ClientFriendlyName:ArubaControllerClientIPAddress:172.
16.
0.
254AuthenticationDetails:ConnectionRequestPolicyName:1X-EMPLOYEENetworkPolicyName:DOMAIN-ITAuthenticationProvider:WindowsAuthenticationServer:ARUBALABS-SRV01.
mitrasolusi.
co.
vuAuthenticationType:MS-CHAPv2EAPType:-AccountSessionIdentifier:-QuarantineInformation:Result:FullAccessExtended-Result:-SessionIdentifier:-HelpURL:-SystemHealthValidatorResult(s):--Formanualconfig:SettingupPERSONALworkstation:-ConnecttotheSSID-Loginusingusernameandpassword-Userconnectedtothenetworkwithpersonal-role-EventViewerLog(Copied)NetworkPolicyServergrantedfullaccesstoauserbecausethehostmetthedefinedhealthpolicy.
User:SecurityID:MITRASOLUSI\yopianus.
lingaAccountName:yopianus.
lingaAccountDomain:MITRASOLUSIFullyQualifiedAccountName:mitrasolusi.
co.
vu/Users/YopianusLingaClientMachine:SecurityID:NULLSIDAccountName:-FullyQualifiedAccountName:-OS-Version:-CalledStationIdentifier:CallingStationIdentifier:000000000000NAS:NASIPv4Address:172.
16.
0.
254NASIPv6Address:-NASIdentifier:11NASPort-Type:Wireless-IEEE802.
11NASPort:0RADIUSClient:ClientFriendlyName:ArubaControllerClientIPAddress:172.
16.
0.
254AuthenticationDetails:ConnectionRequestPolicyName:1X-EMPLOYEENetworkPolicyName:PERSONAL-ITAuthenticationProvider:WindowsAuthenticationServer:ARUBALABS-SRV01.
mitrasolusi.
co.
vuAuthenticationType:MS-CHAPv2EAPType:-AccountSessionIdentifier:-QuarantineInformation:Result:FullAccessExtended-Result:-SessionIdentifier:-HelpURL:-SystemHealthValidatorResult(s):-AsIsaidearlier,thissetupisnotbullet-proof.
Whenpersonaluserloginwithformat:DOMAIN\USERNAME,theywillgetdomainrole.
Thereareno"workaround"forthishole.
(notwithoutCPPM:D)CheersYopianusLingaSeniorEngineer/ACMP