topic peap authententication in Wireless

peap authententication

Network Pro — Sun, 04 Jul 2021 03:18:18 GMT

Hi,

what does Enable PEAP machine authentication mean on the ACS server ?

we are having a training center where we use certificates for any laptop (domain laptops) to join our wireless network. just wondering is there any possiblitly for any laptop (not on domain) to join without having the certificates ? say for example any android or iphone, is it possible to join the wireless network without having hte certificates ?

Thanks

peap authententication

Network Pro — Mon, 13 Jun 2011 09:03:50 GMT

any thoughts on the above ?

peap authententication

Dennis Kline — Mon, 13 Jun 2011 20:09:07 GMT

Sorry, I can't speak for ACS as that's outside my knowledge base...

but certificates are optional on PEAP.... so my answer would be "yes", a PEAP client without a certificate would be able to authenticate to the network...

Perhaps that is what the ACS option is for - to force using a certificate.. again, just a guess on my part

peap authententication

andrew.brazier — Tue, 14 Jun 2011 14:36:02 GMT

One way round this is to enable Machiine Access Restrictions. This will prevent any device that does not have a Windows Domain machine account (non-domain laptops, iPhones, iPads, etc) from authenticating even if it has a valid certificate and user credentials. You can enable this under the External Databases, Windows User Database Configuration. It's a tick box in the Windows EAP Settings section.

peap authententication

Network Pro — Tue, 14 Jun 2011 15:53:49 GMT

Thanks for the replies...

so could you please let me know how can i use a non domain device to join the wireless network without a certificate?

@andrew.brazier - i was told this option for not allowing iphones or ipads to join the network by using Machine Access Restictions - can you please let me know more about this feature and how it works

so in theory i would like to know how to join a non domain laptop to a wireless netowrk without certificates and how to prevent this as well (using MAR)

Thanks

peap authententication

Devashree Chakrabarti — Tue, 21 Jun 2011 06:58:26 GMT

" Peap machine authentication " - it means that ACS will authenticate those machine [host machines], which are a part of domain. The Iphone or Ipads cannot be a part of domain, therefore, they do not fall under machine-authentication.

If peap machine authentication is enabled on ACS server, then no non-domain laptop can access network.

For better security of wireless network, both machine and certificate authentication is enabled on ACS server.

Let me know if it helps.

thanks

Devashree

peap authententication

Network Pro — Tue, 21 Jun 2011 09:41:58 GMT

Thanks for your reply..

so if i enable peap machine authentication, are you saying no non domain laptops can access the network even if it has the certificates?

in short, i would like to know what is peap authentication and will it work on non domain laptops with or without certifcates ? and what is MAR and how does it work

sorry just being confused with this?

Thanks

peap authententication

andrew.brazier — Tue, 21 Jun 2011 12:54:47 GMT

If you enable PEAP authentication non-domain PCs can authenticate to the network provided they have the correct root cert installed (if you buy a cert from most providers this shouldn't be a problem).

Enabling MAR will prevent PCs that are not domain members from authenticating to the network, period.

peap authententication

Network Pro — Tue, 21 Jun 2011 13:17:36 GMT

thanks for the explanation...

Could you please also expain how to implement MARS. i know there is an option on the ACS to check this. do you have to do anything other than this ? and what meant by aging time that is specified with MAR..

peap authententication

andrew.brazier — Tue, 21 Jun 2011 14:00:22 GMT

External User Database, Database Configuration, Windows Database, Configure. Scroll down to Windows EAP settings and check the "Enable machine access restrictions".

It looks like I was slightly incorrect when I said a machine that is blocked by MAR has no access, if the user credentials are valid but the machine would be blocked by MAR then access can be granted by using the Group Map.... drop down to select an ACS group. The access the user then gets is controlled by the access permissions of that group so you should be able to make it pretty granular ad have it so an authenticated user on an authenticated machine = full access, authenticated user on an MAR-blocked machine = limited access.

It is also possible to create machine accounts in Windows AD for machines that don't normally have one such as Apple MACs, this then allows them to pass the MAR check.

From the ACS help system:

Aging time (hours)—The number of hours that Cisco Secure ACS caches a successful machine authentication. For as long as successful machine authentication is retained in the cache, the machine access restrictions feature can use it to determine whether to limit a user to the group specified in the group mapping list, below.
Group map for successful user authentication without machine authentication—When the machine access restrictions feature is enabled, this list specifies the user group whose authorizations are applied to an EAP-TLS or Microsoft PEAP user who passes authentication but uses a computer that failed machine authentication.

peap authententication

Network Pro — Tue, 21 Jun 2011 14:13:49 GMT

thanks for the reply