Windows Radius Concurrent login

[Jason Scott]

Hi

We are using 802.1x PEAP to authenticate our staff wireless clients from a windows 2012 r2 Nap server. My question is how do I limit concurrent logins into the wireless system using the windows Nap server?

--

Jason Scott
IT Manager
021 367 663
MCSA

[Alistair Baird]

You might find that limiting, as staff use their phones, tablets and their laptop concurrently.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 482 937

e bai...@stpeterspn.school.nz

[Jason Scott]

Hi

I have heard that there is a way of controlling the amount of concurrent logins. My aim was to have the number of concurrent logins for students limited to 2 and possibly limit teacher concurrent logins to something like 4.

On Tue, Feb 7, 2017 at 8:15 PM, Alistair Baird <bai...@stpeterspn.school.nz> wrote:

You might find that limiting, as staff use their phones, tablets and their laptop concurrently.

On Tuesday, 7 February 2017, Jason Scott <jasea...@gmail.com> wrote:

Hi

We are using 802.1x PEAP to authenticate our staff wireless clients from a windows 2012 r2 Nap server. My question is how do I limit concurrent logins into the wireless system using the windows Nap server?

--

Jason Scott
IT Manager
021 367 663
MCSA

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 482 937

e bai...@stpeterspn.school.nz

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[Tim Harper]

I never found a nice native way to do this so wrote my own scripts that run at login / log off time to limit the number of network logins.

This is of course different to joining the wifi network and we manage that separately via Ruckus which has some nice features here.  Ruckus authenticates devices using the Windows server and is capable of limiting wifi connections.  We limit to 4 devices by memory.  I'd have to dig out the details.  If you want those please log a query here:  http://query.connectedlearning.org.nz  (it is free!)

regards,

Tim Harper


Phone 03 443 5167 (messages cannot be left on this number)
Mobile 027 443 1236

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Simon - OBHS]

I'm assuming you mean NPS server?

It is possible to limit but by MAC address filtering. I had done this in the past.

I wanted to limit the number of devices a student could connect to the network and also wanted to stop another student using their credentials on someone elses device say to allow more than their allocation or if they had been banned etc...

In order to do this i created my own registration portal that would record the MAC address of their device against their AD account and the NPS policy would have to match their credentials with requesting MAC address in order to be granted authentication. For the most part it worked really well, but we have since moved on and not worried too much about that level of control. We now use Linewize which does what we want it to do for now.

In your NPS policy add a condition for "Calling Station ID" with this regular expression: (([0-9a-f]{1,2}-){5}([0-9a-f]{1,2}))

Their MAC address(es) need to be in the verify caller ID filed on the Dial-In tab of AD.

What stumped me originally for a long time was how do you add multiple MAC addresses.

Turns out that the field is actually a list field, but the Dial-In properties just uses a text box.

Using ADSI Edit you can actually list/edit all MAC addresses individually.

My registration portal just invoked a Powershell script to add or remove the MAC address from the student.

example powershell script: set-aduser $Username -add @{msNPCallingStationID="00-00-00-00-00-00";msNPSavedCallingStationID="00-00-00-00-00-00"}

I always added to both the main field and the 'saved' version as well (can't remember why).

Also, that snippet was from my user creation script as you need to have a fake/blank MAC address in the field else the NPS policy seems to just ignore the rule if the field is blank.

Hope this help or what your after.

Hit me up if you need more info.