Trying to configure RADIUS for a college network, and have run into the following frustration:
I can't set an "AND" condition for group membership of authenticated objects in the network policy rules, e.g. I'm trying to create a NPS rule that says, essentially "IF user is a member of [list of user groups] And is authenticating from a computer in [wireless computer group] then allow access.
The screenshot above is the rule I am having trouble with. It does not work as written. The rule underneath it, which is identical in every aspect except the conditions rule, does work.
I've tried changing the non-working rule to define each set of groups as "Windows group" rather than specifically as machine and user groups, with no change.
With the "faulty" rule enabled and the working one disabled, any attempt to login with a valid account from a machine that is in the wireless computers group gives a 6273 audit event in the windows event log: Reason code 66 - "the user attempted to use an authentication method that is not enabled on the matching network policy". Disabling the "faulty" rule, enabling the other rule and logging in with the same account and computer works just fine.
Under conditions tab, rather then adding all groups into one condition rule, add a group to each rule/line. Basically add a user group, then click add do it again, where you'll have a list of "user groups" under condition column. When you add all groups into one condition line they default to OR.
what you are describing sounds like bonded authentication. this means that a user can not succesfully authenticate via 802.1x unless they have a valid machine session first. If this is what you need to accomplish it is normally enforced on the WLC as oppossed to Radius in my experience.