topic Re: PEAP with computer authentication in Wireless

PEAP with computer authentication

remco.gussen — Sat, 03 Jul 2021 21:47:30 GMT

I was wondering if it is posible to use computer authentication as well as user authentication with PEAP ? I need to make a design with a WLC and ACS. The ACS checks the correct Active Directory global group for user authentication. I also want to check the membership of a client computer in the Active Directort. Computer not member of domain, no access to WLAN. Is this posible ?

Another question, is it posible to do a trace (after three weeks) to find out witch user was connected to the wireless network, based on the ip address ?

GR.

Remco

Re: PEAP with computer authentication

Jagdeep Gambhir — Wed, 17 Oct 2007 14:16:32 GMT

Hi Remco,

Yes that is very much possible. Please check this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

On ACS --->ext db-->group mapping ---> default---> you need to set 'all other combinations should be mapped to No access acs group.

This will deny user/computer access if it is not a part of any defined group.

For tracing user you can set up radius accounting , that will let you know who/when logged in.

Regards,

~JG

Please rate helpful posts

Re: PEAP with computer authentication

jorge.s — Wed, 17 Oct 2007 15:28:01 GMT

could you explain how you turn on the radius accounting on the AP?

Re: PEAP with computer authentication

Jagdeep Gambhir — Wed, 17 Oct 2007 16:04:35 GMT

Here is the link,

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34radi.html#wp1035086

Please rate helpful posts

Regards,

~JG

Re: PEAP with computer authentication

remco.gussen — Wed, 17 Oct 2007 18:43:31 GMT

Hi JG

Thank you for the reply.

In the manual / link: Permit Machine Authentication... Is this mandatory or optional ? In ACS you can map a group to an external (AD) database. In AD you create a global group with usernames. You can link this group to the ACS group. Right now these are just users. Or do i need to put the computer accounts in the same glabal group ? Or nest theme ? Can you do a logical AND operation to map a ACS group ? If member of AD group "wireless users" AND if member of AD group "wireless computers", then map to ACS group and access is permitted....

Hope this is a clear description...

Regards

Remco

Re: PEAP with computer authentication

Jagdeep Gambhir — Thu, 18 Oct 2007 19:28:22 GMT

Remco,

Machine authentication is optional.

When machine authentication is enabled, the authentications occur in this order:

When starting a computer,

* Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.

* User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.

* You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user

In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.

Hope that helps

Regards,

~JG

Please rate helpful posts

Re: PEAP with computer authentication

remco.gussen — Fri, 19 Oct 2007 07:54:25 GMT

Thanks JG

Problem is that the customer wants to check if the computer is member of the company.. If not, than it is a guest and just "guest" = internet access.

After check computer = company property, then further authentication...

GR.

Remco

Re: PEAP with computer authentication

Premdeep Banga — Sat, 20 Oct 2007 16:44:52 GMT

If you want that user authentication should only proceed when a machine has been determined to be valid machine.

OR If I say, do not allow a user to get into network, until and unless his/her machine is a valid machine on domain.

If that is what you are looking for, the go for MAR (Machine Access Restriction) on ACS.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html#wp354105

It is under External User Databases > Database Configuration > ..Windows...

Regards,

Prem

Re: PEAP with computer authentication

remco.gussen — Sun, 21 Oct 2007 10:38:48 GMT

Hi Prem

It looks like the solution to my "problem".

I'm going to test this and hope the results are ok.

Thanks for your help !

Regards

Remco

Re: PEAP with computer authentication

erikszewczyk — Mon, 22 Oct 2007 14:49:26 GMT

FYI with Windows XP and earlier (I'm told this is fixed in Vista but havent had a chance to confirm) windows boxes will stop working with machine authentication when the machine password expires (by default every 30 days).

They are unable to reset their password because they cant get on the network, and they cant get on the network because their password has expired...

Just FYI for your testing and for machines that are infrequently network connected.

Erik

Re: PEAP with computer authentication

remco.gussen — Mon, 29 Oct 2007 07:59:49 GMT

I have another question about PEAP in Vista / XP:

In the network profile, under PEAP settings, you can select: "Validate Server Certificate". Then you have to select the correct Root Certificate.

If you DON'T select the "Validate Server Certificate" setting (and the root certificate is installed on the computer), everything works fine too.

Why is this setting ? It seems that it is not requiered to select it..

Gr.

Remco

Re: PEAP with computer authentication

erikszewczyk — Mon, 29 Oct 2007 15:52:59 GMT

It's not required to use this setting in order to connect; however if you do not use it clients do not validate the identity of your authentication servers and you leave yourself open to man in the middle attacks.

In production you should pretty much always have this setting turned on.

Re: PEAP with computer authentication

remco.gussen — Mon, 29 Oct 2007 15:59:18 GMT

I don't understand that. Can you explain that to me ?

Re: PEAP with computer authentication

erikszewczyk — Mon, 29 Oct 2007 16:17:23 GMT

If you have that setting enabled than prior to sending secured credentials a client will validate a server's identity using certificates.

Having this setting on will help to mitigate a potential attacker's ability to put in their own RADIUS server posing as yours.

Re: PEAP with computer authentication

remco.gussen — Mon, 29 Oct 2007 19:48:09 GMT

Ok, I understand that. You mean that there is no secure channel if this option is not enabled ?

What is the function of the certificate that must be in the store ? Keying material for the AES / TKIP encryption ?

If the option is not enabled, you are not using PEAP, isn't it ? How do you call it what you are using now ?

Gr.

Remco

Re: PEAP with computer authentication

erikszewczyk — Mon, 29 Oct 2007 19:58:07 GMT

I know that as the TLS channel is established the server sends the certificate to the client so that the client can confirm the identity of the server. My assumption would be that the TLS channel still gets established, but the client is just unable to confirm the identity of the server.

So without validating the certificate chain it's basically the equivilent to using self-signed HTTPS (a secure channel to a suspect target).

Some more information about PEAP with MSCHAP v2 here:

http://technet.microsoft.com/en-us/library/bb878077.aspx

Erik

EDIT: And keying for AES/TKIP doesnt happen at the RADIUS server at all (that is between the AP and client), so this setting would have no bearing.

Re: PEAP with computer authentication

remco.gussen — Fri, 02 Nov 2007 13:26:14 GMT

I can see the option "machine access restriction". But where can i configure the machines that are allowed ? Can I link it to a Windows Group ?

Re: PEAP with computer authentication

jafrazie — Fri, 02 Nov 2007 13:42:36 GMT

The allowed machines are built dynamically based on machine authentications.

Re: PEAP with computer authentication

remco.gussen — Fri, 02 Nov 2007 13:44:39 GMT

But than I can still bring my home laptop and log in. Isn't it ?

Re: PEAP with computer authentication

jorge.s — Wed, 28 Nov 2007 11:58:39 GMT

I've configured machine authentication, but everytime I try, I get Authen Failed:

Authen failed host/PAL3556.eu.ten Default Group 0040.96b0.f3c7 External DB user invalid or bad password .. .. 356 10.61.160.101 taxxx056 .. .. .. .. .. .. xxx0101 .. .. .. No 25 MS-PEAP (Default) .. .. .. .. .. .. .. .. .. .. .. .. .. ..