I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
In the authorization policy you can see that the default rule has been matched. However, looks like the default rule result is to permit access. If you change this to "DenyAccess" I think you may get the desired result.
Currently, I only have the default rule configured in the authorization policy which is to allow access. If I make that a deny all, then evrything will be denied. (I tested that just as a sanity test.) Can I add a rule in my authorization policy to deny access if the machine is not found in AD?
Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"
Why is there no Authorization Profiles with Deny Access ?
I am having the same problem where the default rule of permit access is being hit thus allowing everyone to login as long as their username is in AD. What did you do to deny access for the default Authorization Profile...
U can't create a new authorization profile with deny access but when you are select an authorization profile as the result of an authorization policy you should see an option there to select a DenyAccess profile. U do not see the denyAccess profile in the list of authorization profiles
My mistake. You have to click on the button select to see the list of profiles. i have already been tricked by that seelct button before you think i would have learned my lesson. When you go to policy elements and auth profiles you only see permit access and not the deny so i was thinking my setup was broken.
Thanks for the help.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
