Hi !
I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
Therefore I created a new policy with the following conditons :
- NAS Port Type : Wireless
- Client IPv4 Address : <my cisco ip>
- Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
- Users Groups : EUROPE\MY_USER_GROUP
- Machine Groups : EUROPE\Domain Computers
When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
User:
Security ID: EUROPE\HOSTNAME$
Account Name: host/HOSTNAME.my.server.com
Account Domain: EUROPE
Fully Qualified Account Name: EUROPE\HOSTNAME$
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: My.radius.server.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
It therefore seems that it doesn't match my network policy and falls bacj to the default one.
If I remove the user rule, and let the computer rule : Connection OK
If I remove the computer rule, and let the user rule : Connection OK
but if I put both, i can't connect :s
Can someone help me with this issue ?
Thanks a lot !
Geoffrey