Jeff Powell
Guest
|
 Posted:
Fri Nov 11, 2005 9:50 pm Post subject:
RADIUS server on W2k3 |
|
|
I'm trying to set up security for my RADIUS server on W2k3. Basically what
I want to do is use RADIUS for authenticating a wireless user, but I don't
want them to be able to actually log in anywhere, either locally or via
Terminal Services. I have a captive portal which prompts the user for a
username and password. It then goes and checks with the RADIUS server, and
if it authenticated the user is let through our portal and can access the
Internet. This works fine. The problem is that I have created a "No Logon
Users" group in AD, and for that group I have enabled the "Deny log on
locally," "Deny log on as a service," "Deny log on as a batch job," "Deny
access to this computer from the network," and "Deny log on through Terminal
Services" policies. NTLM authentication will authenticate the user even if
he is a member of this group. For example, our proxy server is configured
to use NTLM or basic authentication. A member of the No Login Users Group
will be authenticated successfully, as intended.
However, a member of this group will not be authenticated by the Windows
RADIUS server. It gives an "Invalid username or password" error in the log.
So basically, it boils down to this: How can I allow a user to successfully
authenticate via RADIUS, while still preventing them from logging into a
computer on the domain?
Jeff |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in