Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
0
Helpful
10
Replies

peap authententication

Go to solution
Network Pro
Level 1
Level 1

‎06-10-2011 08:15 AM - edited ‎07-03-2021 08:18 PM

Hi,

what does Enable PEAP machine authentication mean on the ACS server ?

we are having a training center where we use certificates for any laptop (domain laptops) to join our wireless network. just wondering  is there any possiblitly for any laptop (not on domain) to join without having the certificates ? say for example any android or iphone, is it possible to join the wireless network without having hte certificates ?

Thanks

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Devashree Chakrabarti
Level 1
Level 1
In response to Network Pro

‎06-20-2011 11:58 PM

" Peap machine authentication " - it means that ACS will authenticate those machine [host machines], which are a part of domain. The Iphone or Ipads cannot be a part of domain, therefore, they do not fall under machine-authentication.

If peap machine authentication is enabled on ACS server, then no non-domain laptop can access network.

For better security of wireless network, both machine and certificate authentication is enabled on ACS server.

Let me know if it helps.

thanks

Devashree

View solution in original post

0 Helpful

Go to solution
andrew.brazier
Level 4
Level 4
In response to Network Pro

‎06-21-2011 05:54 AM

If you enable PEAP authentication non-domain PCs can authenticate to the network provided they have the correct root cert installed (if you buy a cert from most providers this shouldn't be a problem).

Enabling MAR will prevent PCs that are not domain members from authenticating to the network, period.

View solution in original post

0 Helpful

Go to solution
andrew.brazier
Level 4
Level 4
In response to Network Pro

‎06-21-2011 07:00 AM

External User Database, Database Configuration, Windows Database, Configure. Scroll down to Windows EAP settings and check the "Enable machine access restrictions".

It looks like I was slightly incorrect when I said a machine that is blocked by MAR has no access, if the user credentials are valid but the machine would be blocked by MAR then access can be granted by using the Group Map.... drop down to select an ACS group. The access the user then gets is controlled by the access permissions of that group so you should be able to make it pretty granular ad have it so an authenticated user on an authenticated machine = full access, authenticated user on an MAR-blocked machine = limited access.

It is also possible to create machine accounts in Windows AD for machines that don't normally have one such as Apple MACs, this then allows them to pass the MAR check.

From the ACS help system:

  • Aging time (hours)—The number of hours that Cisco Secure ACS  caches a successful machine authentication. For as long as successful  machine authentication is retained in the cache, the machine access  restrictions feature can use it to determine whether to limit a user to  the group specified in the group mapping list, below.
  • Group map for successful user authentication without machine authentication—When  the machine access restrictions feature is enabled, this list specifies  the user group whose authorizations are applied to an EAP-TLS or  Microsoft PEAP user who passes authentication but uses a computer that  failed machine authentication.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Network Pro
Level 1
Level 1

‎06-13-2011 02:03 AM

any thoughts on the above ?

0 Helpful

Go to solution
Dennis Kline
Level 1
Level 1
In response to Network Pro

‎06-13-2011 01:09 PM

Sorry, I can't speak for ACS as that's outside my knowledge base...

but certificates are optional on PEAP.... so my answer would be "yes", a PEAP client without a certificate would be able to authenticate to the network...

Perhaps that is what the ACS option is for - to force using a certificate.. again, just a guess on my part

.....dennis.kline@yahoo.com...(It takes an Act of God to fade a wireless path, but any fool with a backhoe can cut fiber)
0 Helpful

Go to solution
andrew.brazier
Level 4
Level 4

‎06-14-2011 07:36 AM

One way round this is to enable Machiine Access Restrictions. This will prevent any device that does not have a Windows Domain machine account (non-domain laptops, iPhones, iPads, etc) from authenticating even if it has a valid certificate and user credentials. You can enable this under the External Databases, Windows User Database Configuration. It's a tick box in the Windows EAP Settings section.

0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to andrew.brazier

‎06-14-2011 08:53 AM

Thanks for the replies...

so could you please let me know how can i use a non domain device to join the wireless network without a certificate?

@andrew.brazier - i was told this option for not allowing iphones or ipads to join the network by using Machine Access Restictions - can you please let me know more about this feature and how it works

so in theory i would like to know how to join a non domain laptop to a wireless netowrk without certificates and how to prevent this as well (using MAR)

Thanks

0 Helpful

Go to solution
Devashree Chakrabarti
Level 1
Level 1
In response to Network Pro

‎06-20-2011 11:58 PM

" Peap machine authentication " - it means that ACS will authenticate those machine [host machines], which are a part of domain. The Iphone or Ipads cannot be a part of domain, therefore, they do not fall under machine-authentication.

If peap machine authentication is enabled on ACS server, then no non-domain laptop can access network.

For better security of wireless network, both machine and certificate authentication is enabled on ACS server.

Let me know if it helps.

thanks

Devashree

0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to Devashree Chakrabarti

‎06-21-2011 02:41 AM

Thanks for your reply..

so if i enable peap machine authentication, are you saying no non domain laptops can access the network even if it has the certificates?

in short, i would like to know what is peap authentication and will it work on non domain laptops with or without certifcates ? and what is MAR and how does it work

sorry just being confused with this?

Thanks

0 Helpful

Go to solution
andrew.brazier
Level 4
Level 4
In response to Network Pro

‎06-21-2011 05:54 AM

If you enable PEAP authentication non-domain PCs can authenticate to the network provided they have the correct root cert installed (if you buy a cert from most providers this shouldn't be a problem).

Enabling MAR will prevent PCs that are not domain members from authenticating to the network, period.

0 Helpful

Go to solution
Network Pro
Level 1
Level 1

‎06-21-2011 06:17 AM

thanks for the explanation...

Could you please also expain how to implement MARS. i know there is an option on the ACS to check this. do you have to do anything other than this ? and what meant by aging time that is specified with MAR..

0 Helpful

Go to solution
andrew.brazier
Level 4
Level 4
In response to Network Pro

‎06-21-2011 07:00 AM

External User Database, Database Configuration, Windows Database, Configure. Scroll down to Windows EAP settings and check the "Enable machine access restrictions".

It looks like I was slightly incorrect when I said a machine that is blocked by MAR has no access, if the user credentials are valid but the machine would be blocked by MAR then access can be granted by using the Group Map.... drop down to select an ACS group. The access the user then gets is controlled by the access permissions of that group so you should be able to make it pretty granular ad have it so an authenticated user on an authenticated machine = full access, authenticated user on an MAR-blocked machine = limited access.

It is also possible to create machine accounts in Windows AD for machines that don't normally have one such as Apple MACs, this then allows them to pass the MAR check.

From the ACS help system:

  • Aging time (hours)—The number of hours that Cisco Secure ACS  caches a successful machine authentication. For as long as successful  machine authentication is retained in the cache, the machine access  restrictions feature can use it to determine whether to limit a user to  the group specified in the group mapping list, below.
  • Group map for successful user authentication without machine authentication—When  the machine access restrictions feature is enabled, this list specifies  the user group whose authorizations are applied to an EAP-TLS or  Microsoft PEAP user who passes authentication but uses a computer that  failed machine authentication.
0 Helpful

Go to solution
Network Pro
Level 1
Level 1
In response to andrew.brazier

‎06-21-2011 07:13 AM

thanks for the reply

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card