This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
|For Attribute Retrieval only:|
|If internal user/host not found or disabled then exit sequence and treat as "User Not Found"|
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
And that didn't do anything either.
Any ideas? Thanks in advance.
In the authorization policy you can see that the default rule has been matched. However, looks like the default rule result is to permit access. If you change this to "DenyAccess" I think you may get the desired result.
Currently, I only have the default rule configured in the authorization policy which is to allow access. If I make that a deny all, then evrything will be denied. (I tested that just as a sanity test.) Can I add a rule in my authorization policy to deny access if the machine is not found in AD?
Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"
Why is there no Authorization Profiles with Deny Access ?
I am having the same problem where the default rule of permit access is being hit thus allowing everyone to login as long as their username is in AD.
What did you do to deny access for the default Authorization Profile...
U can't create a new authorization profile with deny access but when you are select an authorization profile as the result of an authorization policy you should see an option there to select a DenyAccess profile. U do not see the denyAccess profile in the list of authorization profiles
My mistake. You have to click on the button select to see the list of profiles. i have already been tricked by that seelct button before you think i would have learned my lesson. When you go to policy elements and auth profiles you only see permit access and not the deny so i was thinking my setup was broken.
Thanks for the help.