topic Machine Authentication with IAS (2003 Server) in Wireless

Machine Authentication with IAS (2003 Server)

ittichai_a — Sun, 04 Jul 2021 07:10:03 GMT

Hi all

I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?

Thanks

Machine Authentication with IAS (2003 Server)

Richard Atkin — Mon, 03 Jun 2013 09:55:45 GMT

Hi, that's correct, the only changes you need are in IAS / AD.

Depending if you're doing Machine and User authentication, or Machine-only authentication, the answer differs slightly.

For Machine and User, all you need to do us update IAS to permit members of the "Domain Computers" or "Domain Users" security groups. This will allow any AD-Registered User or Computer to authenticate. You can of course use different, more restrictrictive, Groups should you wish.

If you're doing Machine-only authentication, you'll need to configure IAS to only accept accounts that are a member of the "Domain Computers" group, and then using your Active Directory Domain Security Policy, you have to configure your Clients to perform "Machine Only" authentication. If you have Win7 Clients you can also configure this manually via the WLAN settings under the Security > Advanced Settings > 802.1X Settings > "Specify authentication mode: Computer Authentication" option.

Rich

Machine Authentication with IAS (2003 Server)

ittichai_a — Mon, 03 Jun 2013 10:02:50 GMT

Hi Richard

Thanks with your answer. So, I may ask you more question as if our client using XP, is it possible to support machine authentication?. As my understand we using compurter or user for authentication then, i must configure Domain Computer and Domain User, correct? One thing if our client are in sub folder such as Wireless Staff, So, in my group policy must add Domain computer and Wireless Staff or Domain computer, Domain User, Wireless Staff ? which on to add in group policy?

Thanks

Machine Authentication with IAS (2003 Server)

Jatin Katyal — Mon, 03 Jun 2013 10:03:23 GMT

In addition to what Rich suggested, machine authentication would appear as host/machine-name in the logs so if want you may add another condition where you may use username starts with host/ . really unsure if you have this attribute or condition in IAS remote access policy.

Also, in order to configure end-points to initiate only machine authentication, if you are using Windows XP SP2,

you've to do reg hack and in case of windows xp sp3 or vista, you need to create XML profile.

Jatin Katyal
- Do rate helpful posts -

Machine Authentication with IAS (2003 Server)

ittichai_a — Mon, 03 Jun 2013 10:10:02 GMT

Hi Jatin

I may not understand clearly so, can you explain me in deep? coz as i understand that we can do machine authentication with IAS ( Cisco Infra ) also. But I may not sure i am lose anything on IAS. T_T

Thanks

Machine Authentication with IAS (2003 Server)

Jatin Katyal — Mon, 03 Jun 2013 10:18:56 GMT

Which part is not clear, so that we can only talk about that feature/section?

I'll be away for an hour but will reply back soon.

Jatin Katyal
- Do rate helpful posts -

Machine Authentication with IAS (2003 Server)

Richard Atkin — Mon, 03 Jun 2013 10:22:03 GMT

Hi Ittichai,

I agree with Jatin, can you be more specific about what you want to know?

Failing that, if you're unfamiliar with IAS and configuring it for WLAN stuff, you might do well to start here;

http://technet.microsoft.com/en-us/library/cc756924%28v=ws.10%29.aspx

Richard

Machine Authentication with IAS (2003 Server)

ittichai_a — Mon, 03 Jun 2013 10:26:30 GMT

Hi All

I would like to say Thanks with your help so, i need to know the configuration and the idea for machine authentication

I may explain what I am understand with Machine authentication on IAS

We need to configure Group Policy on IAS ( Domain User and Computer) if we have computer authentication and user authentication. So, on the controller i do not need to do any thing except 802.1x configure. On the client, my client have join the domain and using PEAP authentication(Window XP). Normally it should pass machine and user authentication, correct? (Not concern about certificate)

Thanks

Re: Machine Authentication with IAS (2003 Server)

Scott Fella — Mon, 03 Jun 2013 11:31:56 GMT

On the WLC you do nothing. It's configured as 802.1x as any EAP authentication method. On IAS, you policy points to the Computer Group and since your using Windows XP, you need to change a registry value to 2 to perform machine authentication. By default, Windows XP doesn't send machine authentication. Windows 7 is different.

http://support.microsoft.com/kb/929847

To set the value of the AuthMode registry entry for Windows XP SP3 wireless connections, follow these steps:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
Double-click AuthMode, type the authentication mode in the Value box, and then click OK.
Exit Registry Editor.
Restart the computer.
The AuthMode registry entry is only valid for Windows XP SP3 wireless network connections. The following table lists the authentications mode for each value of the AuthMode registry entry.
Value Authentication mode
0 Use the default Windows XP authentication
1 Always perform user authentication when a user logs on
2 Perform computer authentication only

Sent from Cisco Technical Support iPhone App

Re: Machine Authentication with IAS (2003 Server)

ittichai_a — Mon, 03 Jun 2013 11:40:30 GMT

Hi Scott

Can I using Computer Authentication + User Authentication in the same time? from value 0-2 i do not see the message computer + user authentication together. Can it be ?

Thanks

Re: Machine Authentication with IAS (2003 Server)

Scott Fella — Mon, 03 Jun 2013 11:42:00 GMT

No... You can't even use that on windows 7 as it is user or computer not user and computer. It's one or the other.

Sent from Cisco Technical Support iPhone App

Re: Machine Authentication with IAS (2003 Server)

Scott Fella — Mon, 03 Jun 2013 11:43:24 GMT

It's how the windows operating system is designed. There is nothing you can do on the WLC or the IAS server to change that.

Sent from Cisco Technical Support iPhone App

Re: Machine Authentication with IAS (2003 Server)

ittichai_a — Mon, 03 Jun 2013 12:29:25 GMT

Hi Scott and Everyone

Thanks with your support

So, in the design from the customer, they need block private notebook via using machine authentication method otherwise using the username/password on the AD. In this senario can it be ?

Thanks

Re: Machine Authentication with IAS (2003 Server)

Scott Fella — Mon, 03 Jun 2013 12:33:07 GMT

You only can pick one. You either do machine authentication which will only allow domain computers or you use PEAP with username and password, but you can't control if personal devices connect. The only other option is to look at Cisco ISE which can profile devices but that will cost money. In your senerio, you have only two choices since you are using IAS.

Sent from Cisco Technical Support iPhone App

Re: Machine Authentication with IAS (2003 Server)

ittichai_a — Mon, 03 Jun 2013 12:44:40 GMT

Hi Scott

I am clear that is bad new for us because our customer told me that aruba can do this in the same system. It seem like aruba have feature firewall and policy to do something that will check machine authentication and username/password. If it is not match the policy it will reject the client.

T_T

THanks

Machine Authentication with IAS (2003 Server)

Jatin Katyal — Mon, 03 Jun 2013 13:10:20 GMT

We can perform machine and user authentication in sequence.

I know how to configure conditions on ACS 4.x, 5.x and ISE 1.x and they are well capable of checking both the authentications ( Machine and User). This feature is called MAR

In case you wish to study more about this feature.

Machine access restriction ( Machine and user authentication)

http://tools.cisco.com/squish/58323

The User or computer authentication actually sends a wrong message with windows 7 network settings. I've seen this working in so many deployments. This actually works with Windows XP and 7 both.

Anyways, just my 2 cents…

Jatin Katyal
- Do rate helpful posts -

Re: Machine Authentication with IAS (2003 Server)

Scott Fella — Mon, 03 Jun 2013 13:13:05 GMT

Yeah but that's using MARs and then you have to deal with the timeouts. I've tested that and really didn't like the outcome:)

Sent from Cisco Technical Support iPhone App

Re: Machine Authentication with IAS (2003 Server)

Scott Fella — Mon, 03 Jun 2013 13:15:04 GMT

Well that's Aruba and again, what they are doing is depending on the machine to get logged on first and then they cache that just like ACS would do and then the windows machine sends the user credentials after that. You have IAS.... Your limited to what you can do and what the client sends. By the way, they are probably also talking about using ClearPass not IAS.

Sent from Cisco Technical Support iPhone App

Re: Machine Authentication with IAS (2003 Server)

Jatin Katyal — Mon, 03 Jun 2013 13:17:58 GMT

This is a very common feature we work with. With Cisco radius server, it work like charm. If we have all the certificates in place with required configuration, we won't face any issues. I never configured this feature on IAS however, I can dig into later today and can try.

Jatin Katyal
- Do rate helpful posts -

Re: Machine Authentication with IAS (2003 Server)

Richard Atkin — Mon, 03 Jun 2013 13:36:12 GMT

Could always look at EAP-Chaining which allows you to use Machine Auth and User Auth at the same time, but it also requires a Cisco RADIUS Server and the Cisco AnyConnect Agent on the Client?...