02-25-2005 08:07 AM - edited 03-10-2019 02:02 PM
In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.
02-25-2005 02:55 PM
This should help:
<http://www.cisco.com/application/pdf/en/us/guest/netsol/ns75/c685/ccmigration_09186a0080259020.pdf>
For Microsoft's supplicant, you see this as "Authenticate as computer when computer information is available"
03-01-2005 07:20 AM
If I need to use both user and machine authentication, do I have to use EAP-TLS? So EAP-PEAP only uses user authenticate? Thanks.
03-01-2005 08:27 AM
Assuming we're talking the Native Supplicant avail in the OS from MSFT, then you can only do EAP-TLS or PEAP for machine-auth. Also, whatever you do for machine-auth, you also need for user-auth.
03-01-2005 08:59 AM
Thanks. Yes. I am using Native Supplicant from MSFT. So any difference between using TLS or PEAP? I would like to decide which one should I implement.
03-01-2005 10:26 AM
There are differences between PEAP and TLS, probably outside of the scope of this post. Want to discuss it here?
The msot notable need or difference for TLS is the use of certificates. You'd need one for the machine, and one for every user that logs into your machine. Per PEAP, you should need no client-side certs, assuming network trust is a given.
Hope this helps,
03-02-2005 07:56 AM
If I need to prevent guest users and domain users with their own laptop to get acess to our LAN, I would like to setup so that Domain users can only log on using a known devices. what would you recommended?
Do I need to use both machine and user authentication? Thanks.
03-02-2005 11:42 AM
OK, so assuming we're still talking the MSFT supplicant, you have some options:
1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).
2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.
3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.
Hope this helps.
02-02-2007 07:39 AM
Are there any limitations in using the
ACS appliance ver4 and remote agent when
trying to use PEAP machine authentication
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide