Solved: Re: PEAP strong machine authentication

ngtransge · ‎08-05-2012

Hello there,

I have some questions regarding PEAP authentication. Specifically how Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane who knows PC domain name can access network, is it true ?

Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”

I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.

So I was looking on ACS logs and it seems that PC just sent it’s domain name to ACS, and it authenticates computer by its name.After this computer have access to network.

So could you please tell me how can I implement strong machine authentication without going EAP-TLS way ?

Tarik Admani · ‎08-05-2012

Please see your answers in line:

I have some questions regarding PEAP authentication. Specifically how Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane who knows PC domain name can access network, is it true?

This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.

Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”

Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.

I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.

So I was looking on ACS logs and it seems that PC just sent it’s domain name to ACS, and it authenticates computer by its name.After this computer have access to network.

The machine should have sent its computer credentials not the domain name (format is computername.domain.com).

So could you please tell me how can I implement strong machine authentication without going EAP-TLS way ?

Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.

One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542

Tarik Admani
*Please rate helpful posts*

View solution in original post

Scott Fella · ‎08-05-2012

Well the main thing you have to understand is that in a windows 7 device, you can authenticate either user OR computer, not both. This is why you only see machine names in ACS. Now you can enable in ACS MAR. I wouldn't recommend this though, but that's my opinion. This will check if the machine was authenticated and them use user authentication. However, this doesn't check all the time, so any other user can log in using their ad account as long as the MAR timer has not expired. But if a user is on and the MAR timer expires, well authentication will fail and the machine will have to be rebooted and machine auth has to take place. MAR also does not work if the user uses both wired and wireless.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

ngtransge · ‎08-05-2012

Hello Scott,

Is machine authentication mandatory for Windows 7 PC to operate successfully in network ? And is it true what I say in first post, that if somebody not authorized knows PC domain name it could potentially use it and authenticate ?

And if I correctly understand MAR checks if currently authenticated user have authenticated machine ? not authenticated machine have authenticated user ? What I mean is when machine is authenticated with domain name I can log into machine with local username(not from AD which is external identity store for ACS), and I have full network access, even when I have MAR enabled.

Thank you for help..

Tarik Admani · ‎08-05-2012

Please see your answers in line:

I have some questions regarding PEAP authentication. Specifically how Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane who knows PC domain name can access network, is it true?

This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.

Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”

Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.

I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.

So I was looking on ACS logs and it seems that PC just sent it’s domain name to ACS, and it authenticates computer by its name.After this computer have access to network.

The machine should have sent its computer credentials not the domain name (format is computername.domain.com).

So could you please tell me how can I implement strong machine authentication without going EAP-TLS way ?

Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.

One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542

Tarik Admani
*Please rate helpful posts*