https://community.cisco.com/t5/network-access-control/wired-dot1x-and-forcing-machine-auth-on-windows/m-p/336051#M432809 <HTML><HEAD></HEAD><BODY><P>Right, you need AuthMode = 2.</P><P>If onlky allowing domain memebers onto the network is the primary goal, then you may also want to consider:</P><P></P><P>* The Machine Access Restriction feature on ACS (what you referred to before as a cache, but does help for mitigation of this threat).</P><P></P><P>* Denying dial-in permisssions on user accounts (but this may break other things you may be using for remote access).</P><P></P><P>Example: If someone brought in there PC from home with virtually any supplicant on it, they're on the network as long as their NT credentials check out (whether machine-auth fails or not, b/c remember they can configure their own supplicant).</P></BODY></HTML> Thu, 27 Jan 2005 14:11:40 GMT jafrazie 2005-01-27T14:11:40Z https://community.cisco.com/t5/network-access-control/wired-dot1x-and-forcing-machine-auth-on-windows/m-p/336049#M432807 <P>I've got wired dot1x authentication working ok. the ACS server backs off to a windows domain so machine level authentication works fine. However I can't see a way of forcing windows to only ever do machine authentication. Has anyone else looked at this? I could enable the option on the ACS server to require a previous machine auth before it accepts a user auth but it can only cache this for a limited amount of time. The only way to get a machine auth is for there not to be a user logged on at the time. If we accept user auth then any user can bring their own machine onto the network but we this is what we want to stop and only allow bank standard (i.e. domain members) machines on the network.</P><P></P><P>cheers</P><P></P><P>Mike</P> Sun, 10 Mar 2019 20:59:13 GMT https://community.cisco.com/t5/network-access-control/wired-dot1x-and-forcing-machine-auth-on-windows/m-p/336049#M432807 mweavind 2019-03-10T20:59:13Z https://community.cisco.com/t5/network-access-control/wired-dot1x-and-forcing-machine-auth-on-windows/m-p/336050#M432808 <HTML><HEAD></HEAD><BODY><P><A class="jive-link-custom" href="http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.mspx#EEAA" target="_blank">http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.mspx#EEAA</A></P><P></P><P>Search for AuthMode - Registry Settings</P></BODY></HTML> Thu, 27 Jan 2005 07:19:12 GMT https://community.cisco.com/t5/network-access-control/wired-dot1x-and-forcing-machine-auth-on-windows/m-p/336050#M432808 Florian Sontheim 2005-01-27T07:19:12Z https://community.cisco.com/t5/network-access-control/wired-dot1x-and-forcing-machine-auth-on-windows/m-p/336051#M432809 <HTML><HEAD></HEAD><BODY><P>Right, you need AuthMode = 2.</P><P>If onlky allowing domain memebers onto the network is the primary goal, then you may also want to consider:</P><P></P><P>* The Machine Access Restriction feature on ACS (what you referred to before as a cache, but does help for mitigation of this threat).</P><P></P><P>* Denying dial-in permisssions on user accounts (but this may break other things you may be using for remote access).</P><P></P><P>Example: If someone brought in there PC from home with virtually any supplicant on it, they're on the network as long as their NT credentials check out (whether machine-auth fails or not, b/c remember they can configure their own supplicant).</P></BODY></HTML> Thu, 27 Jan 2005 14:11:40 GMT https://community.cisco.com/t5/network-access-control/wired-dot1x-and-forcing-machine-auth-on-windows/m-p/336051#M432809 jafrazie 2005-01-27T14:11:40Z