11-18-2010 07:47 AM - edited 03-10-2019 05:35 PM
We are building a new wireless network complete with a new ACS 5.2 appliance and new LAN controllers with WCS. We want to create an encrypted/secured SSID that ONLY machines managed by us can access the LAN with. We are looking for the best solution with the least amount of complexity. After several discussions in-house, we are looking to use PEAP authentication (currently testing with a self-signed cert), then create an access policy in ACS to validate the machine is a member of Active Directory. Unfortunately I cannot find the way to validate the machine's membership. I'm not sure if I am missing something, or if this is even possible. If anyone has any suggestions to make this happen, or a better way to handle this, I'd appreciate the assistance.
Solved! Go to Solution.
11-18-2010 09:48 AM
What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.
Then you can also set the ACS to only allow a user to authenticate if the machien has been authenticated before.
you have to enable machine auth on the ACS server (Users and Identity Stores --> External Identiry Stores --> Active Directory, check the Enable Machine Authentication box)?
Also - under Access Policies --> Access Services, on the Allowed Protocols tab, you enable the "Process Host Lookup" option
Create an access policy, enable PEAP-MSCHAPv2/Process Host Lookup, define conditions by using Identity Group and Was Machine Authenticated which looks like:
1) if Identitty group in machine group, then permit access
2) if Identtity group in user group and Was Machine authenticated, then permit acces
3) default deny access
More details in discussions like https://supportforums.cisco.com/thread/2014145
Hope this helps.
Nicolas
===
Don't forget to rate answers that you find useful
11-18-2010 09:48 AM
What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.
Then you can also set the ACS to only allow a user to authenticate if the machien has been authenticated before.
you have to enable machine auth on the ACS server (Users and Identity Stores --> External Identiry Stores --> Active Directory, check the Enable Machine Authentication box)?
Also - under Access Policies --> Access Services, on the Allowed Protocols tab, you enable the "Process Host Lookup" option
Create an access policy, enable PEAP-MSCHAPv2/Process Host Lookup, define conditions by using Identity Group and Was Machine Authenticated which looks like:
1) if Identitty group in machine group, then permit access
2) if Identtity group in user group and Was Machine authenticated, then permit acces
3) default deny access
More details in discussions like https://supportforums.cisco.com/thread/2014145
Hope this helps.
Nicolas
===
Don't forget to rate answers that you find useful
11-19-2010 11:17 AM
Thanks Nicholas,
The Was Machine Authenticated flag was my issue. The rest was already in place.
Thank you
12-20-2010 07:36 AM
I also set this up for a customer. Their AD had 3 seprate forests that were set to trust eachother. I could enumerate groups from all three forests in the select group section (not using groups yet just checking could see them)
However only machines that are in the configured "Active Directory Domain Name" and one of the other two will authenticate. If a machine belongs to the third domain an error 24485 Machie authentication against Active Directory has failed because of wrong password.
I didn't realise machines could have the wrong password, but even so can anyone explain what is happening here?
12-20-2010 07:55 AM
The domain connection to the nachine was stale; The machine was re-joined to the domain and it woked as normal.
01-22-2012 10:09 AM
Check this Doc
Tips to make Machine Authentication Work - PEAP Authentication - https://supportforums.cisco.com/docs/DOC-21825
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide