Solved: Re: EAP-TLS machine authorization using ACS 5.2

bhatatrans · ‎03-09-2011

Dear all,

I have been struggling with this for a couple of days now and I think there must be something I'm not quite understanding.

We are trying to deploy a new Wifi infrastructure using windows wireless clients, Motorola APs (with RFS switches) and using a Cisco ACS 5.2 appliance as our Radius server.

In trying to get EAP-TLS to work, I can get clients to connect if no real authorization is used, but when I try to validate if the machine name in the client certificate belongs to a particular AD group, the authorization fails. I don't see how to get the ACS to use the Radius "Username" it receives through the certificate to authorize the machine. The value in the Radius username attribute is the name of the machine. I would like the ACS to check to see if this machine name belongs to a particular group in the Windows AD.

We started with PEAP-MSCHAPv2, but security wanted machine authorization so we thought EAP-TLS was the only way to get this. Now I'm no longer sure.

I would love it if someone can guide me in getting the ACS to validate if the machine belongs to a certian Group in the Active Directory using either

1) EAP-TLS

2) PEAP-MSCHAPv2

Thanks!

dal · ‎03-16-2011

Hello.

Just checking something here:

In your policy, under Identity, do you have AD1 (or some Identity Store Sequences with AD1 in it) listed as Identity Source?

View solution in original post

Jatin Katyal · ‎03-09-2011

Hi Anita,

I'm assuming that you only want to do machine authentication against one specific group on the AD.

If that is the case then you need to use two customize attributes in the access-policy.

1.] AD1: External Groups : Domain Computers

2.] System Username starts from : host/

The above two attributes can be added by going to Access-policy >> authorization >> bottom right corner >> customize >> mode both the attributes on the right side and click submit.

After that enter the above suggested values.

Before you perform above task, please ensure we have fine connection with AD, I mean when you fetch the directory groups from the AD section it should work.

Please feel free to contact me for further queries.

Rgds, Jatin

Do rate helpful posts-

~Jatin

bhatatrans · ‎03-10-2011

Thanks for the fast response.

I already had the AD1 external groups configured, but I was trying to figure out how to do 2). Unfortunately, it is still not working. I cannot get the ACS to properly query the AD with the proper information. When I look at the ACS logs, I do not see the AD groups that belong to the particular computer in the Authentication details > Other Details section so I don't think the query is functionning correctly. I will try to further debug this using the CLI.

By any chance do you know if we can perform both machine AND user authentication using PEAP-MSCHAPv2 with the ACS?

Jatin Katyal · ‎03-10-2011

Hi Anita,

Yes, that can be done very easily.

You will need to have only one authorization rules created. Where we should have n attribute selected "was machine authenticated" equals to TRUE then assign authorization policy : permit ( whatever we have created)

This feature will ensure that the user machine has been authenticated before the user is authenticated.

Apart from that you should have "Machine authentication and MAR" enabled under the AD settings.
Users and Identity Stores > ... > External Identity Stores > Active Directory >General Tab.

Once you are done then you've to reboot the host/machine to get this checked. You can check the machine authentication attempt and user authentication attempt under the Monitoring and reports >> favorites >> radius authentication today.

Rgds, Jatin

Do rate helpful posts-

~Jatin

bhatatrans · ‎03-11-2011

Hello,

I ran debug-adclient while trying to authenticate a machine using EAP-TLS and it seems like the ACS does not even try to query the AD for attributes. I don't why this is happening. What I have comfigured in my authentication rule is:

1) Authentication Method: match x509_PKI (I know this works because it passes with just this checked)

2) AD1: ExternalGroups: contains any and the list of groups

3) Sytem:UserName: starts with host/

Can you see why the ACS does not even try to query the AD? I know the ACS can because when MSCHAP is allowed, I see all the queries being done properly with the attributes being returned to the ACS.

Secondly, if I do configure machine authentication with MSCHAPv2 when using user authentication as well, does the machine athentication only happen at boot?

Thanks!

Jatin Katyal · ‎03-14-2011

Yes, In order to initiate machine authentication, you must reboot the machine/computer/lapotop. (Recommended).

Microsoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user shuts down or restarts the computer rather than just logging off.

Rgds, Jatin

Do rate helpful posts-

~Jatin

bhatatrans · ‎03-14-2011

Thanks for clearing up machine authentication using PEAP. I didn't know we could also authenticate at each login. Is this only for Windows 7 or will it work for Windows XP SP3 clients as well?

I have opened up a TAC with Cisco for my TLS authentication issue. I will post what I find out.

Thanks for you help.

Anita

Jatin Katyal · ‎03-14-2011

Well, reboot is required for all kind of OS and supplicants to initiate machine authentication.

However, in Windows XP SP3, the wired network connection settings are defined as a separate service
from the wireless network connection service. In this new service, all the wired network connection profile information is stored in XML files. Therefore, the AuthMode and Supplicant Mode registry entries are no longer used in Windows XP SP3. The settings that these registry keys define must now be added directly to the profile.

The default value for the supplicant mode in Windows XP SP3 for a client that uses a wired network connection is 3. In this setting value, the client sends an Extensible Authentication Protocol over LAN (EAPOL)-Start message for each change in user context.

The default value for the authentication mode in Windows XP SP3 for a client that uses a wired network connection is 1

You cannot connect to an 802.1X wired network after you upgrade to Windows XP Service Pack 3
http://support.microsoft.com/kb/953650

Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3
http://support.microsoft.com/kb/949984/

Rgds, Jatin

Do rate helpful posts-

~Jatin

bhatatrans · ‎03-14-2011

I think I may have found the issue. It looks like the ACS cannot properly query the AD using Computer names.

In Users and Identity Stores >External Identity Stores > Active Directory > Directory Attributes, I can search attributes of any user, but all computer names I enter return no values when I click on Select... I verified the account we are using for querying the AD and it has the permissions to read and query the entire Active Directory. Do you know why this may be happening?

Anita

dal · ‎03-16-2011

Hello.

Just checking something here:

In your policy, under Identity, do you have AD1 (or some Identity Store Sequences with AD1 in it) listed as Identity Source?

bhatatrans · ‎03-16-2011

Yes, you were absolutely right. I was wondering how to make the connection between Identity and authority. I had chosen

CN Username. Thanks.

Anita