03-10-2015 01:37 PM - edited 03-10-2019 10:32 PM
I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
I'd rather not have to deploy user and machine certificates.
All I want to do is allow access to the wireless network only if the device and the user are in AD.
It's such a simple scenario that I must be missing something.
Any suggestions are welcome. Thanks in advance for your comments.
Lucas
Solved! Go to Solution.
03-10-2015 04:05 PM
It is possible to authenticate both user and machine, you can verify the computer account against an Active Directory (one method).
This document should help (Machine Authentication):
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/eap_pap_phase.html#28901
03-10-2015 04:17 PM
In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.
03-10-2015 04:05 PM
It is possible to authenticate both user and machine, you can verify the computer account against an Active Directory (one method).
This document should help (Machine Authentication):
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/eap_pap_phase.html#28901
03-10-2015 04:17 PM
In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.
03-24-2015 02:51 PM
Thanks for your reply. I believe that you are correct and the EAP-Chaining is the solution.
Do you know what the "Enable machine authentication" check box does under "End User Authentication Settings" on the first tab of the Active Directory External Identity Store?
I would expect it to enforce machine authentication but this not the case.
03-24-2015 05:24 PM
I assume this is the way to enable the MAR feature.
03-24-2015 09:45 PM
The MAR feature has its own tab with a Enable Machine Access Restrictions check box, which makes me wonder what the other check box is for.
03-25-2015 09:39 AM
Maybe it will only authenticate users in AD, if that is not checked ? It's been a long time since a worked with ACS 5.x and AD
03-25-2015 09:43 AM
03-25-2015 11:49 PM
You will need to add the AD groups you need from External Identity Stores --> AD --> Directory Groups to authenticate against.
05-12-2015 11:49 AM
So the only way to achieve user AND machine authentication is to use Cisco ISE?
It cant be implemented with Microsoft NPS?
05-12-2015 12:03 PM
The only reliable method i would say is EAP-Chaining, which is not supported by NPS, and probably won't, since NPS is going to be discontinued.
05-12-2015 12:28 PM
I'm not familiar with Microsoft NPS.
Based on this ISE deployment guide: http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-CampusDot1XDesignGuide-AUG14.pdf
for user and machine authentication, you need:
On page 112:“You have deployed both machine certificates and user certificates to Microsoft Windows workstations. However, only one of the certificates is used for authentication—the user certificate when a user is logged in and the machine certificate when one isn’t. EAP Chaining allows you to authenticate using both certificates by using the Cisco AnyConnect Secure Mobility Client 3.1.”
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide