10-10-2010 09:30 PM - edited 02-21-2020 10:25 AM
Hi,
I have ACS 5.2, Cisco 4507 switches and AD domain environment.
Planning on performing only machine authentication and not user authentication.
I have the following type of devices:
1. Windows XP SP3 and higher on the AD Domain
2. Devices to be with installed with third-party supplicants as they natively don't
support 802.1x.
If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?
Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?
Thanks
Solved! Go to Solution.
10-19-2010 11:59 PM
Hi,
> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
> I was thinking for devices that not on the domain, to load certificate on the machine.
If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
10-11-2010 06:53 AM
Hi,
Answering inline:
If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?
[Ans] Yes, you can use PEAP which does not require certificate on the user, but the traffic is still encrypted.
Windows XP default supplicant has the option to "Use machine credentials...". If you check that box the PC will do machine authentication and send the machine credentials in the format host\machine.domain.
Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?
[Ans] Well, if you want to do machine authentication, you need to create the machine entries in some Database...can you please clarify exactly how you want to authenticate the devices type 2.
Thanks,
Tiago
10-19-2010 11:04 PM
Hi Tiago,
Thanks for your reply. Some more questions.
>If I ignore device type 2, and only consider device type 1, am I able to simply configure
>802.1x for authentication based on machine against AD, without having to use any
>certificates at all?
>[Ans] Yes, you can use PEAP which does not require certificate on the user, but the traffic is still encrypted.
>Windows XP default supplicant has the option to "Use machine credentials...". If you check that box the PC will do machine authentication and send the >machine credentials in the format host\machine.domain.
Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
>Taken device type 2 into account, given the devices are not on the domain and I don't
>want to manually enter details into ACS, will I need to use certificate for authentication?
>[Ans] Well, if you want to do machine authentication, you need to create the machine entries in some Database...can you please clarify exactly how you >want to authenticate the devices type 2.
I was thinking for devices that not on the domain, to load certificate on the machine.
If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
Thanks
10-19-2010 11:59 PM
Hi,
> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
> I was thinking for devices that not on the domain, to load certificate on the machine.
If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide