on ACS5.2 how can we bind the user authentication and machine authentication together

txing · ‎07-19-2011

For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.

Thanks

Nicolas Darchis · ‎07-19-2011

You need to provide a dummy vlan with the machine authentication (so that no access is granted) or a vlan with restricted access.

Then for the user auth, you can set a condition "was machine authenticated" in the service policy on ACS. If you don't have it, click "customize" at the bottom right of your authorization menu. It then only validates the user auth if the same guy was machine authenticated before

txing · ‎07-19-2011

Thanks for your reply, if I configure the ACS 5.2 like you said, will that mean the users can't get all the login scripts and domain policy, network mapping work over the wirless network ? Because the guestvlan can't talk to AD, is this correct?

Thanks

Nicolas Darchis · ‎07-20-2011

It depends. You can give a vlan that has only access to AD, so the PC will be able to get GPOs and scripts but not access to the rest of the network.

Dominic Stalder (old profile) · ‎03-05-2012

Hi Nicolas

how would a rule set for such a MAR authentication / authorization look like, something like this?:

Authentication

Rule 1: Permit Access for MSCHAPv2 AND all AD Groups (user and machine)

Authorization

Rule 1: Permit Access for MSCHAPv2 AND Was-Machine-Authenticated = FALSE AND only computer AD Group

--> this rule should "perform" the machine authentiction

Rule 2: Permit Access for MSCHAPv2 AND Was-Machine-Authenticated = TRUE AND only user AD Groups

Would that work for such a scenario or I am missing something?

And what about EAP-TLS, in the ACS 5.x user guide it is stated:

"When the user authenticates with either PEAP or EAP-FAST, against AD external ID store then ACS performs an additional action. It searches the cache for the users Calling-Station-Id. If it is found then Was-Machine-Authenticated attribute is set to true on the session context, otherwise set to false. "

Does this mean, that with EAP-TLS the Was-Machine-Authenticated attribute does not work. We would like to do the same with first machine and then user certificates, but only user certificates on corporate laptops should be allowed.

Thanks in advance and best regards

Dominic

Nicolas Darchis · ‎03-06-2012

yes. For the "only computer", you can either use the AD attribute that says if it's a Person or computer account (don't remember which one from top of my mind) or detect if the radius username starts with host/* which is the definition of a computer authentication.

For EAP-TLS, I have to say I'm not sure how the flag is set.

Dominic Stalder (old profile) · ‎03-12-2012

Just as a help for others, I first tested with PEAP and it worked well - only AD users on AD computers where able to login to the SSID as desired.

Attached you find the ACS 5.3 configuration for PEAP with the "Was-Machine-Authenticated" attribute.

Access Policy - Identity:

Access Policy - Authorization:

Best regards

Dominic