07-19-2011 08:32 AM - edited 03-10-2019 06:14 PM
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
Thanks
07-19-2011 10:04 AM
You need to provide a dummy vlan with the machine authentication (so that no access is granted) or a vlan with restricted access.
Then for the user auth, you can set a condition "was machine authenticated" in the service policy on ACS. If you don't have it, click "customize" at the bottom right of your authorization menu. It then only validates the user auth if the same guy was machine authenticated before
07-19-2011 10:11 AM
Thanks for your reply, if I configure the ACS 5.2 like you said, will that mean the users can't get all the login scripts and domain policy, network mapping work over the wirless network ? Because the guestvlan can't talk to AD, is this correct?
Thanks
07-20-2011 12:24 AM
It depends. You can give a vlan that has only access to AD, so the PC will be able to get GPOs and scripts but not access to the rest of the network.
03-05-2012 11:46 PM
Hi Nicolas
how would a rule set for such a MAR authentication / authorization look like, something like this?:
Authentication
Rule 1: Permit Access for MSCHAPv2 AND all AD Groups (user and machine)
Authorization
Rule 1: Permit Access for MSCHAPv2 AND Was-Machine-Authenticated = FALSE AND only computer AD Group
--> this rule should "perform" the machine authentiction
Rule 2: Permit Access for MSCHAPv2 AND Was-Machine-Authenticated = TRUE AND only user AD Groups
Would that work for such a scenario or I am missing something?
And what about EAP-TLS, in the ACS 5.x user guide it is stated:
"When the user authenticates with either PEAP or EAP-FAST, against AD external ID store then ACS performs an additional action. It searches the cache for the users Calling-Station-Id. If it is found then Was-Machine-Authenticated attribute is set to true on the session context, otherwise set to false. "
Does this mean, that with EAP-TLS the Was-Machine-Authenticated attribute does not work. We would like to do the same with first machine and then user certificates, but only user certificates on corporate laptops should be allowed.
Thanks in advance and best regards
Dominic
03-06-2012 08:08 AM
yes. For the "only computer", you can either use the AD attribute that says if it's a Person or computer account (don't remember which one from top of my mind) or detect if the radius username starts with host/* which is the definition of a computer authentication.
For EAP-TLS, I have to say I'm not sure how the flag is set.
03-12-2012 06:34 AM
Just as a help for others, I first tested with PEAP and it worked well - only AD users on AD computers where able to login to the SSID as desired.
Attached you find the ACS 5.3 configuration for PEAP with the "Was-Machine-Authenticated" attribute.
Access Policy - Identity:
Access Policy - Authorization:
Best regards
Dominic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide