topic Wireless and Wired Network enforce user authentication with ACS in Network Access Control

Wireless and Wired Network enforce user authentication with ACS after computer authentication

ivan.martin — Mon, 11 Mar 2019 03:55:54 GMT

Hi my name is Ivan, i have an issue of control access in the wired and wireless network

Is possible to enforce computer authentication + user authentication with the ACS 5.3 after the computer authentication?

I have a network 802.1x eap peap to authenticate user and computer in the wired and wireless network.

The ACS has two policies to authenticate computers and users. We have 3 cases:

Case 1

When the user configures 802.1X SSID parameter specifying user or computer authentication, ACS successfully validated the computer and the user's account. This works very well

Case 2

When the user configures 802.1X SSID parameter specifying single user authentication, the ACS validates the computer prior to and after the user credential. This works fine.

Case 3

But when the user configures the SSID 802.1X parameters, specifying the computer authentication, ACS successfully validated only the computer, not the user account. When the computer was authenticated, the computer access to internet.

Need in the third case, the ACS validates both the computer and the user, when the user specifies the computer authentication and after the authentication of the computer

The case 1 and 2 works very good in the wireless and wired network.

Is possible to do it in the ACS?-

Wireless and Wired Network enforce user authentication with ACS

Scott Fella — Wed, 25 Sep 2013 02:51:16 GMT

I put something together a while ago and its in this thread. You have to use MARS and have two policies defined.

https://supportforums.cisco.com/message/3525141#3525141

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Wireless and Wired Network enforce user authentication with ACS

kcnajaf — Wed, 25 Sep 2013 02:55:50 GMT

Hi Ivan,

Not sure if you have gone through this link.

https://supportforums.cisco.com/thread/2123696

I think your issue is detailed in there.

Regards

Najaf

Please rate when applicable or helpful !!!

Wireless and Wired Network enforce user authentication with ACS

ivan.martin — Wed, 25 Sep 2013 02:56:46 GMT

Hi Scott

Thanks for your answer. MAR is enabled, I set the aging time in one month. but I need to enforce authentication of user after the authentication of the computer in the ACS 5.3

Is possible to do it?

Thanks

Wireless and Wired Network enforce user authentication with ACS

ivan.martin — Wed, 25 Sep 2013 03:02:04 GMT

Hi Najaf KC

Thanks for your answer. In the link say:

Jan 18, 2012 6:29 AM

Hi All;

Finally cisco TAC confirmed that there is no way that we can enforce user authentication with ACS.

1. when authenticate as computer option is selected on the laptop , and machine authentication on the ACS enabled.

what happens the laptop goes through machine authentication and it gains access, the customer wants to get prompted for a username and password if no user name or not correct username.pass provided then he wants to deny access.

ANS : With MAR we can enforce machine authentication, however in the ACS it is not possible to enforce user authentication, only machine authentication.

So you can't enforce the user auth to be the one who decides if the client is going to gain access or not after machine auth succeeds.

Thanks & Regards

Sreejith R

Exists any paper, pdf or link where explain this issue in the ACS?.

Thanks for your advice.

Wireless and Wired Network enforce user authentication with ACS

Jatin Katyal — Wed, 25 Sep 2013 03:14:18 GMT

Ivan,

In ACS 5.3, you can do machine authentication followed by a user authentication.

https://supportforums.cisco.com/docs/DOC-21825

~BR
Jatin Katyal

**Do rate helpful posts**

Wireless and Wired Network enforce user authentication with ACS

ivan.martin — Wed, 25 Sep 2013 03:58:14 GMT

Thanks Jatin Katyal

I see the link but according TAC is not possible to force the second authentication in the acs v5.3

Is this true?. Exist any paper or pdf where explain it?

Regards

Ivan

Wireless and Wired Network enforce user authentication with ACS

Jatin Katyal — Wed, 25 Sep 2013 04:04:19 GMT

that's not true.

Please check the below listed link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase.html#wp1014866

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1171007

~BR
Jatin Katyal

**Do rate helpful posts**

Wireless and Wired Network enforce user authentication with ACS

Jatin Katyal — Thu, 26 Sep 2013 04:51:36 GMT

Did that help you understanding the machine and user authentication (MAR) concept with ACS 5.x?

~BR
Jatin Katyal

**Do rate helpful posts**

Wireless and Wired Network enforce user authentication with ACS

ivan.martin — Thu, 26 Sep 2013 16:22:02 GMT

Hola Jatin buen dia, para coincidir con el detalle del problema lo detallo en español.

El problema es el siguiente:

El usuario configura su tarjeta de red inalambrica para utilizar autenticacion de solo computadora.

Cuando el usuario realiza esto, la computadora envia su credencial de laptop del dominio, y el acs observa el call station id de la computadora del dominio, busca en su base de datos externa la cual es el Directorio Activo, y dado que esta coincide como objeto del dominio, se autentica a la red inalambrica.

Pero el acs en ningun momento pide la autenticacion de usuario, o el prompt de autenticacion de usuario, porque la computadora ya se autentico y autorizo como objeto del dominio.

Lo que se desea es que cualesquier configuracion que el usuario realize en la tarjeta de red inalambrica para que la autenticacion sea como computadora, usuario o computadora o solo usuario, el acs siempre valide autentique la computadora y la cuenta de usuario.

Que la politica de autenticacion sea un estamente Y y no un O. Cuando el usuario configura su tarjeta de red inalambrica como usuario o computadora, el acs si ejecuta la politica de autentica para usuario y computadora porque exige al usuario validar en primer lugar la computadora.

Nuestro problema es el descrito lineas abajo Politica de Autenticacion de Computadora + Usuario, siempre el ACS debe pedir el prompt de autenticacion para usuario, asi el atributo sea de solo computadora del lado del cliente.

Saludos.

Ivan

Wireless and Wired Network enforce user authentication with ACS

Jatin Katyal — Mon, 30 Sep 2013 23:51:01 GMT

Could you please post the same thing in english ?

~BR
Jatin Katyal

**Do rate helpful posts**

Wireless and Wired Network enforce user authentication with ACS

ivan.martin — Tue, 01 Oct 2013 04:41:59 GMT

Hi Jatin, the post in english

Jatin Hi good day, to match the detail of the problem as I detail in Spanish.

The problem is as follows:

The user configure his wireless network card to use computer-only authentication.

When the user does this, the computer sends the domain credential laptop, and look at the call station acs id domain computer, looking at its external database which is the Active Directory, and since this is the same as domain object, it authenticates the wireless network.

But the acs at any time ask for user authentication, or user authentication prompt because the computer already authenticate and authorize as domain object.

What is desired is that any settings that the user Realize the wireless network card for the authentication either as computer user or single-user computer, provided validate acs authenticate the computer and user account.

Let be an authentication policy and not a estamente And O. When the user configures your wireless network card as a user or computer, acs policy by running the user authenticates to computer because it requires the user to validate the computer first.

Our problem is the lines described below Computer Policy + User Authentication, ACS always should ask for user authentication prompt, so the attribute is the only client-side computer.

Greetings.

Ivan

Jatin Hi good day, to match the detail of the problem as I detail in Spanish.

The problem is as follows:

You configure your wireless network card to use computer-only authentication.

When the user does this, the computer sends the domain credential laptop, and look at the call station acs id domain computer, looking at its external database which is the Active Directory, and since this is the same as domain object, it authenticates the wireless network.

But the acs at any time ask for user authentication, or user authentication prompt because the computer already authenticate and authorize as domain object.

What is desired is that any settings that the user Realize the wireless network card for the authentication either as computer user or single-user computer, provided validate acs authenticate the computer and user account.

Let be an authentication policy and not a estamente And O. When the user configures your wireless network card as a user or computer, acs policy by running the user authenticates to computer because it requires the user to validate the computer first.

Our problem is the lines described abive Computer Policy + User Authentication, ACS always should ask for user authentication prompt, so the attribute is the only client-side computer.

Greetings.

Ivan