Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13333
Views
5
Helpful
5
Replies

ACS, WCS, PEAP, Machine Authentication

Go to solution
beausoleilb1
Level 1
Level 1

‎11-18-2010 07:47 AM - edited ‎03-10-2019 05:35 PM

We are building a new wireless network complete with a new ACS 5.2 appliance and new LAN controllers with WCS.  We want to create an encrypted/secured SSID that ONLY machines managed by us can access the LAN with.  We are looking for the best solution with the least amount of complexity.  After several discussions in-house, we are looking to use PEAP authentication (currently testing with a self-signed cert), then create an access policy in ACS to validate the machine is a member of Active Directory.  Unfortunately I cannot find the way to validate the machine's membership.  I'm not sure if I am missing something, or if this is even possible.  If anyone has any suggestions to make this happen, or a better way to handle this, I'd appreciate the assistance. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-18-2010 09:48 AM

What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.

Then you can also set the ACS to only allow a user to authenticate if the machien has been authenticated before.

you have to enable machine auth on the  ACS server (Users and Identity Stores --> External Identiry Stores  --> Active Directory, check the Enable Machine Authentication box)?

Also  - under Access Policies --> Access Services, on the Allowed  Protocols tab, you enable the "Process Host Lookup" option

Create an access policy, enable PEAP-MSCHAPv2/Process Host  Lookup, define conditions by using Identity Group and Was Machine  Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

More details in discussions like https://supportforums.cisco.com/thread/2014145

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

View solution in original post

5 Replies 5

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-18-2010 09:48 AM

What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.

Then you can also set the ACS to only allow a user to authenticate if the machien has been authenticated before.

you have to enable machine auth on the  ACS server (Users and Identity Stores --> External Identiry Stores  --> Active Directory, check the Enable Machine Authentication box)?

Also  - under Access Policies --> Access Services, on the Allowed  Protocols tab, you enable the "Process Host Lookup" option

Create an access policy, enable PEAP-MSCHAPv2/Process Host  Lookup, define conditions by using Identity Group and Was Machine  Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

More details in discussions like https://supportforums.cisco.com/thread/2014145

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

Go to solution
beausoleilb1
Level 1
Level 1
In response to Nicolas Darchis

‎11-19-2010 11:17 AM

Thanks Nicholas,

The Was Machine Authenticated flag was my issue.  The rest was already in place. 

Thank you

0 Helpful

Go to solution
rchester
Level 1
Level 1
In response to beausoleilb1

‎12-20-2010 07:36 AM

I also set this up for a customer. Their AD had 3 seprate forests that were set to trust eachother. I could enumerate groups from all three forests in the select group section (not using groups yet just checking could see them)

However only machines that are in the configured "Active Directory Domain Name" and one of the other two will authenticate. If a machine belongs to the third domain an error 24485 Machie authentication against Active Directory has failed because of wrong password.

I didn't realise machines could have the wrong password, but even so can anyone explain what is happening here?

reload in 25 years
0 Helpful

Go to solution
rchester
Level 1
Level 1
In response to rchester

‎12-20-2010 07:55 AM

The domain connection to the nachine was stale; The machine was re-joined to the domain and it woked as normal.

reload in 25 years
0 Helpful

Go to solution
Vinay Sharma
Level 7
Level 7

‎01-22-2012 10:09 AM

Check this Doc

Tips to make Machine Authentication Work - PEAP Authentication - https://supportforums.cisco.com/docs/DOC-21825

Thanks.

Thanks & Regards
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents