Remote Access with Multiple Groups - Wireless

This is a discussion on Remote Access with Multiple Groups - Wireless ; I work in a hospital that has a Win2003 domain. We also have a wireless network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access server. We have two groups of wireless workstations, one group of ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Remote Access with Multiple Groups

  1. Remote Access with Multiple Groups

    I work in a hospital that has a Win2003 domain. We also have a wireless
    network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access
    server.

    We have two groups of wireless workstations, one group of medical stations
    and another of admin stations. We want medical personnel to be able to use
    either medical or admin workstations but we want admin personnel to be able
    to use only admin wireless workstations.

    At first I set up mulitple groups. One group consisting of computers and
    another of users. Then in the remote access policy I stipulated that to gain
    access the connection had to come from the right computer group and right
    user group. Sounds OK but it does not work. If I include a group that has
    only computers in it the wireless connection always fails. No problem if I
    only have groups with users.

    How can associate a specific user group with specific computer group when
    using remote access for wireless connections??




  2. Re: Remote Access with Multiple Groups


    "Redleg6" wrote in message
    news:OizkUOWBJHA.3828@TK2MSFTNGP06.phx.gbl...
    >I work in a hospital that has a Win2003 domain. We also have a wireless
    >network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access
    >server.


    Why IAS? Why not just have them as Domain Members and forget it?

    > We have two groups of wireless workstations, one group of medical
    > stations and another of admin stations. We want medical personnel to be
    > able to use either medical or admin workstations but we want admin
    > personnel to be able to use only admin wireless workstations.
    >
    > At first I set up mulitple groups. One group consisting of computers and
    > another of users. Then in the remote access policy I stipulated that to
    > gain access the connection had to come from the right computer group and
    > right user group. Sounds OK but it does not work. If I include a group
    > that has only computers in it the wireless connection always fails. No
    > problem if I only have groups with users.


    This really is not "remote access".
    The wirless portion of the network is not a "different network". A WAP
    does not create a "network",...it just replaces the physical "patch cables"
    with a Radio Signal. It is effectively just a Switch without wires on the
    Host side,...but is still wired on the "backbone" side.

    1. Let the machines connect to the WAP using WPA with a Key,.....without an
    kind of "user authentication.

    2. The machines need to be Domain Members

    3. In "Active Directory Users and Computers" go to the properties of each
    "Administration Personnel" account involved in this and set a "list" of
    machines they are allowed to connect from [Yes, it's a hassle],...you can't
    do it with Groups. The users need to log into the machines with Domain
    Level User Accounts,....not Local User Accounts. Active Directory will then
    evaluate if the user is allowed to log in with that particular workstation.
    Remove all local user accounts from these machines except for any that
    really have to be there.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
    ISA2004
    http://technet.microsoft.com/en-us/l...chNet.10).aspx
    ISA2006
    http://technet.microsoft.com/en-us/l...chNet.10).aspx

    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/IS...cessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/downlo...7/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/p...s/default.mspx

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/e...epartners.mspx
    -----------------------------------------------------



  3. Re: Remote Access with Multiple Groups

    We need IAS to handle the remote connections from the wireless workstations.


    "Phillip Windell" wrote in message
    news:ukmXgKuBJHA.1892@TK2MSFTNGP04.phx.gbl...
    >
    > "Redleg6" wrote in message
    > news:OizkUOWBJHA.3828@TK2MSFTNGP06.phx.gbl...
    >>I work in a hospital that has a Win2003 domain. We also have a wireless
    >>network using 802.1x, WPA with Cisco AP's. We use IAS as our remote access
    >>server.

    >
    > Why IAS? Why not just have them as Domain Members and forget it?
    >
    >> We have two groups of wireless workstations, one group of medical
    >> stations and another of admin stations. We want medical personnel to be
    >> able to use either medical or admin workstations but we want admin
    >> personnel to be able to use only admin wireless workstations.
    >>
    >> At first I set up mulitple groups. One group consisting of computers and
    >> another of users. Then in the remote access policy I stipulated that to
    >> gain access the connection had to come from the right computer group and
    >> right user group. Sounds OK but it does not work. If I include a group
    >> that has only computers in it the wireless connection always fails. No
    >> problem if I only have groups with users.

    >
    > This really is not "remote access".
    > The wirless portion of the network is not a "different network". A WAP
    > does not create a "network",...it just replaces the physical "patch
    > cables" with a Radio Signal. It is effectively just a Switch without
    > wires on the Host side,...but is still wired on the "backbone" side.
    >
    > 1. Let the machines connect to the WAP using WPA with a Key,.....without
    > an kind of "user authentication.
    >
    > 2. The machines need to be Domain Members
    >
    > 3. In "Active Directory Users and Computers" go to the properties of each
    > "Administration Personnel" account involved in this and set a "list" of
    > machines they are allowed to connect from [Yes, it's a hassle],...you
    > can't do it with Groups. The users need to log into the machines with
    > Domain Level User Accounts,....not Local User Accounts. Active Directory
    > will then evaluate if the user is allowed to log in with that particular
    > workstation. Remove all local user accounts from these machines except for
    > any that really have to be there.
    >
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or
    > Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    > Technet Library
    > ISA2004
    > http://technet.microsoft.com/en-us/l...chNet.10).aspx
    > ISA2006
    > http://technet.microsoft.com/en-us/l...chNet.10).aspx
    >
    > Understanding the ISA 2004 Access Rule Processing
    > http://www.isaserver.org/articles/IS...cessRules.html
    >
    > Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    > http://download.microsoft.com/downlo...7/ts_rules.doc
    >
    > Microsoft Internet Security & Acceleration Server: Partners
    > http://www.microsoft.com/isaserver/p...s/default.mspx
    >
    > Microsoft ISA Server Partners: Partner Hardware Solutions
    > http://www.microsoft.com/forefront/e...epartners.mspx
    > -----------------------------------------------------
    >




  4. Re: Remote Access with Multiple Groups

    "Redleg6" wrote in message
    news:eTKof56BJHA.1632@TK2MSFTNGP06.phx.gbl...
    > We need IAS to handle the remote connections from the wireless
    > workstations.


    There is nothing remote here. The WAPs are connected to your local
    LAN,..therefore any machine that uses them is local. The WAP serves the
    same function as a LAN Switch but without the wires.

    To control who can log into what machines as you describe you want to
    do,...the machines need to be Domain Members and the users need to log in
    with Domain Accounts. Those Domain Accounts need to have the list of
    "approved" machines added to the Account Properties. Being "wired" -vs-
    "wireless" is totally irrelevant to this aspect of what you are asking.

    All the "security" on the WAP serves one purpose,...it protects the Radio
    Signal,...that's it. Some high-end Wired Switches have a "comparable"
    function with their Port Access Control (802.x? I forget..). But with the
    wireless using WPA with a WPA Key, in my opinion, is perfectly
    sufficient,...someone would have to drag me a long way kicking and screaming
    over broken glass to get me to feel that there was any need for using IAS
    with user authentication just to establish authorized contact with a "Radio
    Signal" instead of just using WPA with an encryption Key.
    I know some would disagree with me,..fine,..there always are,...but that is
    my recommendation and I feel pretty strong about it.

    I realize that medical facilities make heavy use of wireless due to the
    convenience of mobility and not having to run cable (and then moving the
    cables everytime something is remodeled or moved). But all the wireless
    does is replace "wires" with a "radio signal", it is not creating a new
    network, it is not a separate network, and it is not "remote".

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



  5. Re: Remote Access with Multiple Groups

    I disagree with you. WPA with a static key is not sufficient security.
    Enterprise level wireless with dynamic keying gives us the security we need.


    "Phillip Windell" wrote in message
    news:eJ%23LqG8BJHA.2264@TK2MSFTNGP06.phx.gbl...
    > "Redleg6" wrote in message
    > news:eTKof56BJHA.1632@TK2MSFTNGP06.phx.gbl...
    >> We need IAS to handle the remote connections from the wireless
    >> workstations.

    >
    > There is nothing remote here. The WAPs are connected to your local
    > LAN,..therefore any machine that uses them is local. The WAP serves the
    > same function as a LAN Switch but without the wires.
    >
    > To control who can log into what machines as you describe you want to
    > do,...the machines need to be Domain Members and the users need to log in
    > with Domain Accounts. Those Domain Accounts need to have the list of
    > "approved" machines added to the Account Properties. Being "wired" -vs-
    > "wireless" is totally irrelevant to this aspect of what you are asking.
    >
    > All the "security" on the WAP serves one purpose,...it protects the Radio
    > Signal,...that's it. Some high-end Wired Switches have a "comparable"
    > function with their Port Access Control (802.x? I forget..). But with
    > the wireless using WPA with a WPA Key, in my opinion, is perfectly
    > sufficient,...someone would have to drag me a long way kicking and
    > screaming over broken glass to get me to feel that there was any need for
    > using IAS with user authentication just to establish authorized contact
    > with a "Radio Signal" instead of just using WPA with an encryption Key.
    > I know some would disagree with me,..fine,..there always are,...but that
    > is my recommendation and I feel pretty strong about it.
    >
    > I realize that medical facilities make heavy use of wireless due to the
    > convenience of mobility and not having to run cable (and then moving the
    > cables everytime something is remodeled or moved). But all the wireless
    > does is replace "wires" with a "radio signal", it is not creating a new
    > network, it is not a separate network, and it is not "remote".
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or
    > Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    >
    >




  6. Re: Remote Access with Multiple Groups

    "Redleg6" wrote in message
    news:u13UcV$BJHA.5196@TK2MSFTNGP04.phx.gbl...
    >I disagree with you. WPA with a static key is not sufficient security.
    > Enterprise level wireless with dynamic keying gives us the security we
    > need.


    In the end it doesn't matter here. Your question/goal really has nothing to
    do with wired -vs- wireless or any wireless security techniques.

    To control who can log into what machines as you describe you want to
    do,...the machines need to be Domain Members and the users need to log in
    with Domain Accounts. Those Domain Accounts need to have the list of
    "approved" machines added to the Account Properties. Active Directory will
    then
    evaluate if the user is allowed to log in with that particular workstation.
    Remove all local user accounts from these machines except for any that
    really have to be there.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------



+ Reply to Thread