cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
886
Views
5
Helpful
2
Replies

is it possible to do machine and user authentication in same Authorization profile?

nrafia
Level 1
Level 1

Hi,

I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...

Condition

IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )

Permissions

then Vlan x

Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.

Any help will be of great value.

1 Accepted Solution

Accepted Solutions

edwjames
Level 3
Level 3

Hi,

IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )

- Not possible

As user and machine authentication occur at different contexts.

ACS cannot verify the both at the same time.

Using MAR, you can, though club the both together and achieve:

"machine is part of domain and user is valid only then he should be able to have full access"

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978

Tips for configuring MAR:

1) Set the client to perform user or computer authentication.

2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).

3) Enable MAR under the AD configuration page on ACS and set the aging time.

4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

View solution in original post

2 Replies 2

edwjames
Level 3
Level 3

Hi,

IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )

- Not possible

As user and machine authentication occur at different contexts.

ACS cannot verify the both at the same time.

Using MAR, you can, though club the both together and achieve:

"machine is part of domain and user is valid only then he should be able to have full access"

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978

Tips for configuring MAR:

1) Set the client to perform user or computer authentication.

2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).

3) Enable MAR under the AD configuration page on ACS and set the aging time.

4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

It was extremely helpful.

Thanks and rated.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: