Tips to make Machine Authentication Work - PEAP Authentication

Vinay Sharma · ‎01-06-2012

Introduction
Solution
Reference
Scenario
Solution
Reference

Introduction

What are the several things that we have to do before the machine authentication can work?

Solution

1. Under Users and Identity stores > Active Directory: Make sure: ACS is joined to your domain and you can see the needed groups under Directory Groups

2. Check the box "enable machine authentication"

Aging time (hours): Once a machine is authenticated this timer starts to tick. Once the time is up the machine would have to be restarted in order for machine authentication to re‐occur. (8 or more hours should be fine)

3. Under Access Policies perform the following:

a. Select Access Services and click on 'Create'

b. Name it 'Wireless network access' (or whatever you like)

c. Under 'User Selected Services Type' select Network Access

d. Under 'Policy Structure' select Identity and Authorization

e. Click 'Next'

f. Step 2 ‐ Allowed Protocols select the following:

i. Process Host Lookup

ii. Allow PEAP

iii. Allow EAP‐MS‐CHAPv2

iv. Allow Password Change

g. Click 'Finish'

h. The following popup will appear, click 'Yes’ to accept

Access Service created successfully. Would you like to modify the Service Selection policy to activate this service?

4. Under 'Service Selection Rules'

a. 'Customize' (on the bottom right side) *Optional

b. You can choose whatever you want to match, but for this, I will make it simple. Choose

only the following:

i. Protocol

ii. Device IP Address *Optional

c. Click 'Ok'

d. Click 'Create'

e. Name it 'Wireless network access' (or whatever you like)

f. Click 'Protocol' and match 'Radius'

g. 'Service' should be the 'Access Service' you created in step #1

h. Check 'Device IP Address' *Optional

i. Input the ip address of the WLC (Management IP) *Optional

j. Click 'Add v' *Optional

k. Under Results | Service choose the service you created *Optional

l. Click 'Ok'

m. Click 'Save Changes' on the bottom

5. Under Access Policies | Access Services | <Your new rule>

a. Select 'Identity'

b. Under 'Identity Source' choose AD1

c. Click 'Save Changes' on the bottom

6. Under Access Policies | Access Services | <Your new rule>

a. Select 'Authorization'

b. Click 'Customize' (on the bottom right side)

c. You can choose whatever you want to match, but for this, I will make it simple.

Choose only the following:

i. System:UserNAme

ii. Was Machine Authenticated

iii. AD1:ExternalGroups

iv. Remove Compound Conditions!!!!!

v. Click 'Ok'

vi. Click 'Save Changes' on the bottom

7. YOU WILL NEED TO CREATE TWO RULES

RULE #1

i. Click 'Create' and name the rule if you wish

ii. Make sure the Status is set to 'Enabled'

iii. Check 'Systen:UserName'

iv. The rule should be as follows" 'starts with' input 'host/' without the quotes

v. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'

vi. Click 'Ok' and Click 'Ok' again

vii. This is all for this rule.

viii. Click 'Ok' on the bottom

RULE #2

i. Click 'Create' and name the rule if you wish

ii. Make sure the Status is set to 'Enabled'

iii. Check 'Was Machine Authenticated'

iv. The rule should be as follows" '= True'

v. Check 'AD1:ExternalGroups' and select 'contains any'

vi. Click on 'Select' and choose the AD user group in which the user resides in

vii. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'

viii. That is all for this rule.

ix. Click 'Ok' on the bottom

c. DEFAULT Rule

i. Click 'Default' at the bottom

ii. Deselect Permit Access and Select Deny Access

iii. Click 'Ok'

iv. Click 'Save Changes' on the bottom

Reference

https://supportforums.cisco.com/thread/2053236

https://supportforums.cisco.com/message/3525141

Scenario

We are building a new wireless network complete with a new ACS 5.2 appliance and new LAN controllers with WCS. We want to create an encrypted/secured SSID that ONLY machines managed by us can access the LAN with. We are looking for the best solution with the least amount of complexity. After several discussions in-house, we are looking to use PEAP authentication (currently testing with a self-signed cert), then create an access policy in ACS to validate the machine is a member of Active Directory. Unfortunately I cannot find the way to validate the machine's membership. I'm not sure if I am missing something, or if this is even possible. If anyone has any suggestions to make this happen, or a better way to handle this, I'd appreciate the assistance.

Solution

What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.

Then you can also set the ACS to only allow a user to authenticate if the machine has been authenticated before.

you have to enable machine auth on the ACS server (Users and Identity Stores --> External Identity Stores --> Active Directory, check the Enable Machine Authentication box)?

Also - under Access Policies --> Access Services, on the Allowed Protocols tab, you enable the "Process Host Lookup" option

Create an access policy, enable PEAP-MSCHAPv2/Process Host Lookup, define conditions by using Identity Group and Was Machine Authenticated which looks like:

1) if Identity group in machine group, then permit access

2) if Identity group in user group and Was Machine authenticated, then permit access

3) default deny access

Reference

https://supportforums.cisco.com/thread/2014145

ohansen · ‎01-23-2012

This works fine, at least in a lab scenario, but there are a few things to be aware of here:

1) The computer will get network access, through the computer authentication, without a user logged in. This may or may not be OK, depending on what the security requirements, and one might have to play with VLAN assignments/ACLs if the goal is to not allow full network access for a device until a user logs in.

2) If one uses Windows 7 and the default supplicant, one must be aware of the way it works. If "user or computer" authentication is selected, then the following will happen:

When the user boots his computer, computer authentication will take place
When the user logs in, user authentication will take place
Periodic re-authentication will take place with the interval set on the AP or controller, the "session-timeout" (by default every 30 mins). If the user is not logged in then computer authentication will take place, if he is then user authentication will.
When the user is logged in, only user authentication will ever take place, computer authentication never does.
When the user logs out, computer authentication will take place
When the user suspends his computer without having logged out, and resumes it, user authentication will take place (if suspended for longer than the session-timeout)
The "was machine authenticated" is only valid for the period set under "Machine Access Restrictions", in ACS by default 3 hours.

The above means that we will have to set the MAR appropriately, otherwise after 3 hours and a bit, the user will lose network access as although periodic user authentication has taken place, computer authentication has not.

However, even if we set the MAR to a longer value things are not guaranteed to work as we wish: let's say we set it to 24 hours. The user boots his laptop at 9am, and logs in immediately. In the afternoon he closes the lid on it, without logging out. If he comes back into the office before 9am he will get network access, but after 9am his session will fail. We could set the MAR to a much larger value, but not every security-minded person will be happy with that, and some users keep their laptops running with them logged in for as long as they can, and expecting them to have to log out or reboot to get network access isn't really acceptable in this day and age.

The above might be more of a Microsoft Windows 7 issue than a Cisco issue, but important to keep in mind.

chrisapodmore · ‎02-01-2012

c

Todd S · ‎04-06-2012

Followed these exact instructions with an XP client in a Windows 2008 R2 domain and I get the following error in ACS:

"ACS has not been able to confirm previous successful machine authentication for user in Active Directory"

I verified that this worked with a Windows 7 client. Trying a patch from MS that will hopefully fix it. I don't see the machine auth coming across for the XP client.

The MS patch worked.

KLAUS FRIEDEL · ‎04-19-2012

Hi,

I configured (ACS5.1) like the second Solution above:

AD groups are selected, "enable machine authentication" is OK, Protocols allowed: PEAP; Process Host Lookup

Access Policy: Identity --> AD1

Authorization--> like above

1) if Identity group in machine group, then permit access

2) if Identity group in user group and Was Machine authenticated, then permit access

3) default deny access

The Problem is: Machine Authentication does not work

Monitoring and Reports: only User Authentication:

Evaluating Identity Policy

15004 Matched rule

15013 Selected Identity Store - AD1

24430 Authenticating user against Active Directory

24416 User's Groups retrieval from Active Directory succeeded

24402 User authentication against Active Directory succeeded

22037 Authentication Passed

Does anyone know whats wrong in our Configuration?

Thanks in advance

Todd S · ‎04-19-2012

Klaus,

Your first rule is incorrect. You aren't matching the machine to a group in AD, you're just looking up in AD that it exists. This should be the first rule:

i. Click 'Create' and name the rule if you wish

ii. Make sure the Status is set to 'Enabled'

iii. Check 'Systenm:UserName'

iv. The rule should be as follows" 'starts with' input 'host/' without the quotes

v. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'

vi. Click 'Ok' and Click 'Ok' again

vii. This is all for this rule.

viii. Click 'Ok' on the bottom

KLAUS FRIEDEL · ‎04-20-2012

Hi Todd,

It still doesn't work.

Please let's analyse step by step:

For Identity: single result selection

"Identitiy Source": AD1

For Authorization :

Rule 1: Condition #1 System:UserName: Starts with : host/ ...

Authorization profile: Permit Access

Rule 2: Condition #1 Was Machine Authenticated = True ...

Condition #2 AD1: External Groups:

contains any: domain\usergroup

Authorization profile: Permit Access

Default: Authorization profile: Deny Access

I use a notebook XP SP3. It is a domain member ("domain"/SystemGroups/Domain Computers)

and the user is in a security group for "WlanUser"

Problem:

ACS only match the Default Rule for Authorization:

Evaluating Identity Policy

15006 Matched Default Rule

15013 Selected Identity Store - AD1

24430 Authenticating user against Active Directory

24416 User's Groups retrieval from Active Directory succeeded

24402 User authentication against Active Directory succeeded

22037 Authentication Passed

Evaluating Group Mapping Policy

11824 EAP-MSCHAP authentication attempt passed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814 Inner EAP-MSCHAP authentication succeeded

11519 Prepared EAP-Success for inner EAP method

12314 PEAP inner method finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12306 PEAP authentication succeeded

11503 Prepared EAP-Success

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

regards Klaus

Scott Fella · ‎04-20-2012

I usually see this error:

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

when the device is not rebooted or the timer for MAR has expired.

Todd S · ‎04-20-2012

Klaus,

Try installing this patch on your XP SP3 machine.

http://support.microsoft.com/kb/969111

I had to do that to get the XP SP3 machine working.

Todd

KLAUS FRIEDEL · ‎05-02-2012

hi Todd,

We tested a lot. It didn't work with XP but it works well with WIN7.

We see the problem in client settings:

you can choose "machine authentication", "user authentication" or "user or machine authentication"

If you choose "machine authentication" then (machine is AD member) -->access permit (rule 1)

without user authentication.

Only if you choose "user or machine authentication" then it works well with both rules.

Thanks Klaus

N3t W0rK3r · ‎11-17-2016

I would like to add dynamic vlan assignment (based on user auth) to this scenario (which we already have working with ACS 5.8 and WLC 8.2).

The problem we have run into, is that even though the WLC assigns the client into the new VLAN correctly when the user logs in, the Windows 7 client does not issue any new DHCP requests for an address in this new VLAN.

We opened a case with TAC and they advised that the issue lies with the Windows 7 client but they offered absolutely no guidance on how to get it to work.

I am totally confused as to what needs to be done on the client side to get this to work. Is it even possible?

Has anyone here been able to do this successfully? I'd love to hear form you.

Thanks.

John