Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1233
Views
0
Helpful
3
Replies

ACS5 / ISE: PEAP authentication - first machine then user

Go to solution
Johannes Luther
Level 4
Level 4

‎07-27-2012 07:04 AM - edited ‎03-10-2019 07:20 PM

Hi board,

I have a simple question regarding AAA with ISE or ACS5 and PEAP.

As we all know, the big disadvantage in PEAP is, that you cannot enforce that non-company property authenticates to the network.

Example:

Windows Domain - PEAP machine and user authentication. During Windows GINA, the machine account is used - after login, the user account is used.

If I bring my own iPad to the company, I just have to enable WLAN, enter my Domain credentials and voila! I'm in!

Some companies want to restrict the network only for company equipment.

So a simple solution to this is, EAP-TLS - but we all know that some guys don't want to build up a full blown PKI....

So here's the question:

Is is possible to enforce an authentication order in ISE or ACS.

If a authentication request for a certain client MAC address comes in (Calling station ID), then this identity has to authenticate with a machine account first (prefix "host\") and only after the machine authentication succeeded, the user authentication is allowed.

If someone want to login with a user-account, then this should not be possible, if there was not a former machine authentication.

So is this possible with ACS or ISE?

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-27-2012 09:11 AM

Johannes,

You can prevent ipads from connecting by forcing machine authentication check in the user authentication policy.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1116684

You can also leverage the profiling feature in ISE to reject the apple devices from accessing the network.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-27-2012 09:11 AM

Johannes,

You can prevent ipads from connecting by forcing machine authentication check in the user authentication policy.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1116684

You can also leverage the profiling feature in ISE to reject the apple devices from accessing the network.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Johannes Luther
Level 4
Level 4
In response to Tarik Admani

‎07-27-2012 10:48 AM

This is exactely what I've been searching for!

Thank you!

One more thing.... this is not available for ACS, right?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Johannes Luther

‎07-27-2012 11:26 AM

Profiling is not, but machine authentication with machine access restrictions is.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1254965

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents