cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
273
Views
5
Helpful
2
Replies
Beginner

is it possible to do machine and user authentication in same Authorization profile?

Hi,

I want to know is it possible to do machine authenticaiton and user authentication happen at the same time? Some thing like this...

Condition

IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )

Permissions

then Vlan x

Basically i am trying to check a machine is part of domain and user is valid only then he should be able to have full access.

Any help will be of great value.

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

is it possible to do machine and user authentication in same Aut

Hi,

IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )

- Not possible

As user and machine authentication occur at different contexts.

ACS cannot verify the both at the same time.

Using MAR, you can, though club the both together and achieve:

"machine is part of domain and user is valid only then he should be able to have full access"

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978

Tips for configuring MAR:

1) Set the client to perform user or computer authentication.

2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).

3) Enable MAR under the AD configuration page on ACS and set the aging time.

4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
2 REPLIES 2
Participant

is it possible to do machine and user authentication in same Aut

Hi,

IF ( wired_802.1x and AD:externalgroup EQUAL dommain computer AND    AD:exteranalgroup EQUAL Some_domain_user_group )

- Not possible

As user and machine authentication occur at different contexts.

ACS cannot verify the both at the same time.

Using MAR, you can, though club the both together and achieve:

"machine is part of domain and user is valid only then he should be able to have full access"

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1235978

Tips for configuring MAR:

1) Set the client to perform user or computer authentication.

2) Create two rules in authorization, one for user and and one for machine (identity them by using group membership on AD).

3) Enable MAR under the AD configuration page on ACS and set the aging time.

4) In the user rule, customize and use the condition "Was machine authenticated" and set it to true.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed
Beginner

is it possible to do machine and user authentication in same Aut

It was extremely helpful.

Thanks and rated.