Thread: Remote Access with Multiple Groups
View Single Post

  #2  
Old 08-25-2008, 02:42 PM
Default Re: Remote Access with Multiple Groups

"Redleg6" wrote in message
news:OizkUOWBJHA.3828@TK2MSFTNGP06.phx.gbl...
>I work in a hospital that has a Win2003 domain. We also have a wireless
>network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access
>server.

Why IAS? Why not just have them as Domain Members and forget it?

> We have two groups of wireless workstations, one group of medical
> stations and another of admin stations. We want medical personnel to be
> able to use either medical or admin workstations but we want admin
> personnel to be able to use only admin wireless workstations.
>
> At first I set up mulitple groups. One group consisting of computers and
> another of users. Then in the remote access policy I stipulated that to
> gain access the connection had to come from the right computer group and
> right user group. Sounds OK but it does not work. If I include a group
> that has only computers in it the wireless connection always fails. No
> problem if I only have groups with users.

This really is not "remote access".
The wirless portion of the network is not a "different network". A WAP
does not create a "network",...it just replaces the physical "patch cables"
with a Radio Signal. It is effectively just a Switch without wires on the
Host side,...but is still wired on the "backbone" side.

1. Let the machines connect to the WAP using WPA with a Key,.....without an
kind of "user authentication.

2. The machines need to be Domain Members

3. In "Active Directory Users and Computers" go to the properties of each
"Administration Personnel" account involved in this and set a "list" of
machines they are allowed to connect from [Yes, it's a hassle],...you can't
do it with Groups. The users need to log into the machines with Domain
Level User Accounts,....not Local User Accounts. Active Directory will then
evaluate if the user is allowed to log in with that particular workstation.
Remove all local user accounts from these machines except for any that
really have to be there.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/l...chNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/l...chNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/p...s/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------


Reply With Quote