Wired Dot1x and forcing machine auth on windows

mweavind · ‎01-26-2005

I've got wired dot1x authentication working ok. the ACS server backs off to a windows domain so machine level authentication works fine. However I can't see a way of forcing windows to only ever do machine authentication. Has anyone else looked at this? I could enable the option on the ACS server to require a previous machine auth before it accepts a user auth but it can only cache this for a limited amount of time. The only way to get a machine auth is for there not to be a user logged on at the time. If we accept user auth then any user can bring their own machine onto the network but we this is what we want to stop and only allow bank standard (i.e. domain members) machines on the network.

cheers

Mike

Florian Sontheim · ‎01-26-2005

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wificomp.mspx#EEAA

Search for AuthMode - Registry Settings

jafrazie · ‎01-27-2005

Right, you need AuthMode = 2.

If onlky allowing domain memebers onto the network is the primary goal, then you may also want to consider:

* The Machine Access Restriction feature on ACS (what you referred to before as a cache, but does help for mitigation of this threat).

* Denying dial-in permisssions on user accounts (but this may break other things you may be using for remote access).

Example: If someone brought in there PC from home with virtually any supplicant on it, they're on the network as long as their NT credentials check out (whether machine-auth fails or not, b/c remember they can configure their own supplicant).