none
Restrict non-domain-joined computer connect to company Wireless RRS feed

  • 问题

  • Dear Team,

    Currently we are planning to perform some changes on NPS server and wirelss profile setting on windows client. 

    1. Change the wireless authentication menthod from user/computer auth to only computer auth.

    2. Add one condition "domain name\domain computers" on NPS policy to only allow domain-joined-computer are able to connect to our wireless.

    For the step one, we use GP to deploy this setting to all domain PCs, it will take some times as I am not sure how many computer can take this setting effect. 

    For step two, since the NPS policy allow any authentication can be passed for now, shall we add the condition "domain name\domain computers" before the current one. For example:

    1_Policy: only allow domain-joined-computer "domain name\domain computers". 

    2_Policy: allow any authen

    I suspect if the authen for 1_policy failed because maybe the GP doesn't take effect in time, it may use user auth as well, then it will try 2_Policy and pass the authen afterward.

    Well, that's what we will to restrict non-domain-joined comptuer to contect to our company wireless. Please kindly let me know if it is correct or you have any better suggestions.

    Thanks for your advice in advance.

    Regards,

    Steven

    2018年9月2日 13:42

答案

  • Hi,

    Thanks for your reply.

    When multiple network policies are configured in NPS, they are an ordered set of rules. NPS checks each connection request against the first rule in the list, then the second, and so on, until a match is found.

    It means that connections are allowed as long as one policy is met.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • 已标记为答案 Syisme 2018年9月14日 1:39
    2018年9月12日 8:47
    版主

全部回复

  • Hi,

    Thanks for your question.

    Your method is OK. I will provide another method for you to choose from.

    • create a group in ADUC and add domain computers to the group. Because all domain computers are in the container Computers, it is easy to select members of the group.
    • add one condition "Machine Groups " on NPS policy to only allow the members of the group.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    2018年9月3日 8:33
    版主
  • Well! I am reported that there are a couple of computers are non-windows platform. Like MacPro, shall me make this kind of computer to be a member of domain computer s and also can pass the NPS authentication by condition "domain name\domain computers". Thanks.

    Regards,

    Steven

    2018年9月4日 1:54
  • Hi,

    A non-Windows computer like Mac can be a member of a domain, but I'm not sure if the policy works.

    If the policy doesn't work, I recommend that you create specific domain users for non-windows computers.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    2018年9月4日 8:12
    版主
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    2018年9月7日 9:12
    版主
  • Thanks Travis, we have applied the NPS policies and I would like to confirm some more things.

    1. 01_Policy

    -- Client Friendly Name: Wireless*

    -- Windows Group: xxxx\Domain Computers

    2. 02_Policy

    --Client Friendly Name:Wireless*

    --Windows Group: xxxx\Specified Users Group

    Will it be working if the client unable to pass the 01_Policy and then meet the requirement at 02_Policy? Thanks.

    Regards,

    Steven

    2018年9月12日 5:04
  • Hi,

    Thanks for your reply.

    When multiple network policies are configured in NPS, they are an ordered set of rules. NPS checks each connection request against the first rule in the list, then the second, and so on, until a match is found.

    It means that connections are allowed as long as one policy is met.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • 已标记为答案 Syisme 2018年9月14日 1:39
    2018年9月12日 8:47
    版主