Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3862
Views
10
Helpful
8
Replies

Question regarding Active Directory attributes and ACS 5.2

Go to solution
Christopher Bell
Level 4
Level 4

‎05-05-2011 02:56 PM - edited ‎03-10-2019 06:03 PM

For authentication to our wireless, our ACS server checks to make sure a node is a memeber of a specific computer group.  When we disable the computer account, the ACS server continues to pass authentication despite the account being disabled. This is not the only thing that is checked, we also checked for a valid certificate that has been issued from our CA.  Regardless, if the computer account is disabled I would like for the ACS server to fail the authentication.  Is there a way to map a computer account attribute to a radius attribute?  Or simply configure the ACS server to check for a flag on the AD attribute?

Specifically, here is what we see in the steps section for a machine that's account has been disabled:

24475  The user's or host's account is disabled; setting the IdentityAccessRestricted flag to true.

I'd like for it to see that flag "true" and fail the authentication, but it does not.  Any suggestions?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to Yudong Wu

‎05-08-2011 02:18 PM

The IdentityAccessRestricted attribute referenced in the steps is an additional attribute that can be used in authorization conditions

It is set to true if access to the account is disabled, outside of the permitted time for access etc.

This gives flexibility when AD attributes are retrieved to be used in authorization conditions and will allow the request to be denied if the flag is set.

To do this add a new condition in the authorization policy

If (AD1->IdentityAccessRestricted) == TRUE select Deny Access authorization profile as the result

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Yudong Wu
Level 7
Level 7

‎05-05-2011 03:01 PM

I think you just need to enable machine authentication. When it is enabled, ACS will check AD to see if the computer account is a valid.

Go to solution
Christopher Bell
Level 4
Level 4
In response to Yudong Wu

‎05-05-2011 04:42 PM

That's what I thought also, but apparently not.  I have it enabled already.  I'm assuming that all it does is check to make sure there is an account and allows you to check it against group membership.

Thanks for the reply.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to Christopher Bell

‎05-05-2011 10:15 PM

what kind of wireless authentication are you using? PEAP, EAP or something else? Did you enable machine authentication on the wireless client as well?

Go to solution
Christopher Bell
Level 4
Level 4
In response to Yudong Wu

‎05-06-2011 06:28 AM

We are using EAP-TLS for the certificate.  We use the Cisco Mobility Client and the NAM module on the client.  Machine authentication is enabled on the NAM module.  To be honest, I'm not sure how the client is passing along the machines domain credentials.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to Christopher Bell

‎05-06-2011 10:56 AM

Ok, I did not play with NAM yet. But if it is EAP-TLS, both sides must have the certificate. Per your first post, you have checked the certificate already.

Basically, I think you need find out if the issue is on client side or ACS side. You should check your ACS authentication log to see if you see machine authentication request. When doing the machine authentication, the username looks like "host/PC_name". If you don't see this, you might need check log on NAM, If you does see this, you need check your ACS and AD.

By the way, here is a old example for EAP-TLS with machine authentication. It's old but the principle should be the same.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Yudong Wu

‎05-08-2011 02:18 PM

The IdentityAccessRestricted attribute referenced in the steps is an additional attribute that can be used in authorization conditions

It is set to true if access to the account is disabled, outside of the permitted time for access etc.

This gives flexibility when AD attributes are retrieved to be used in authorization conditions and will allow the request to be denied if the flag is set.

To do this add a new condition in the authorization policy

If (AD1->IdentityAccessRestricted) == TRUE select Deny Access authorization profile as the result

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to jrabinow

‎05-08-2011 04:43 PM

Could you please clarify this?

In ACS5.2, if computer account is disabled or not exist in AD, machine authentication will be failed directly or we have to add the condition which you mentioned to deny the machine authentication.

0 Helpful

Go to solution
Christopher Bell
Level 4
Level 4
In response to jrabinow

‎05-09-2011 04:43 AM

@jrabinow - This is the answer I was looking for, Thanks!

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful
Customers Also Viewed These Support Documents
Top