cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6100
Views
0
Helpful
34
Replies
Highlighted
Beginner

Limit acces to computers in AD domain

We have

ACS 5.2, WLC 5500, and we have been unable to limit our access service to

machine authentication against AD. This is resulting in other

unintended devices being allowed access to the WLAN, users simply accept the cert and are allowed access. How can I prevent

non-domain devices? or test the device for domain membership?

Thanks

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Limit acces to computers in AD domain

Go to the "authorization" menu of your access service, and hit "Customize" on the bottom right.

It allow you to add different sort of conditions. You should have "was machine authenticated" there if I'm not mistaken

34 REPLIES 34
Cisco Employee

Re: Limit acces to computers in AD domain

Configure both machine and user authentication on the clients.

On ACS, add a condition to your access policy (was machine authenticated=true) to force clients to be machine authenticated before and you should be good to go !

Beginner

Re: Limit acces to computers in AD domain

Configuring the condition on the ACS is the problem I am having. I have not been able to find where or how to add the "was machine authenticated condition". I have looked under Standard policy and exception policy but the ACS does not present those conditions. I only get in or not in under identity group. Do you know which menu I would find the condtions??

Cisco Employee

Re: Limit acces to computers in AD domain

Go to the "authorization" menu of your access service, and hit "Customize" on the bottom right.

It allow you to add different sort of conditions. You should have "was machine authenticated" there if I'm not mistaken

Beginner

Re: Limit acces to computers in AD domain

Thanks for the insight. I have it working partially, we have two laptops both dell one is a e6410 the other d630. The D630 works but the E6410 does not.

The client settings are identical. We are seeing the following error on the ACS:

Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure.
Any Ideas on what might cause this condition?
Beginner

Re: Limit acces to computers in AD domain

D

Beginner

Re: Limit acces to computers in AD domain

Well I thought the issue was resolved but apparently it is not. We have user Auth against the directory working fine but when we

try to do machine auth it consistently fails even with the

was machine authenticated setting as previously suggested. Not sure

why we are having so much trouble. We are using PEAP, mschapv2, and eventually would like to use smart cards.

We have one Rule with ad:external point to both users and an OU with computers, was machine authenticated= true

not sure where to look next??

Beginner

Re: Limit acces to computers in AD domain

Well I thought the issue was resolved but apparently it is not. We have user Auth against the directory working fine but when we

try to do machine auth it consistently fails even with the

was machine authenticated setting as previously suggested. Not sure

why we are having so much trouble.  We are using PEAP, mschapv2, and eventually would like to use smart cards.

We have one Rule with ad:external point to both users and an OU with computers, was machine authenticated= true

not sure where to look next??

Cisco Employee

Re: Limit acces to computers in AD domain

You say that machine authentication fails ?

Then the next step is to understand why it fails (monitoring and report)

If your point was that a non-domain laptop can also user authenticate, then it's another story.

Beginner

Re: Limit acces to computers in AD domain

Nicolas here is what we are seeing in the log everything in the steps prior is successful

Evaluating Group Mapping Policy

11824 EAP-MSCHAP authentication attempt passed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814 Inner EAP-MSCHAP authentication succeeded

11519 Prepared EAP-Success for inner EAP method

12314 PEAP inner method finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12306 PEAP authentication succeeded

11503 Prepared EAP-Success

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

Beginner

Re: Limit acces to computers in AD domain

Here is the rule we have set and Have only one access service running

contains any (mydomain.net/Users/Domain Users; mydomain.net/enterprise/workstations) -ANY- = True Permit Access 13

Cisco Employee

Re: Limit acces to computers in AD domain

The above means that there was no machine authentication before probably.

do you see a machine authentication attempt from that workstation ?

If not, it may be on the workstation itself that config needs a look.

Beginner

Limit acces to computers in AD domain

Hi

I have a similar problem. I have added an authorization rule of the access service and selected "was machine authenticated=True" and "contains any(mydomain.net/Domain users;mydomain.net/Domain computers)"

BUT this authorization rule NEVER get used and instead the flow goes the default one which I set to permit access.

Any help is greatly appreciated.

Raoul

Hall of Fame Master

Re: Limit acces to computers in AD domain

What radius server are you using?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Beginner

Re: Limit acces to computers in AD domain

Hi Scott

I am using cisco acs 5.1. I have

-Joined the ACS to AD and enable Machine Auth and MAR, select both user and machine groups in the Directory Groups

-Created an access policy, enable PEAP-MSCHAPv2/Process Host Lookup, define conditions by using Identity Group and Was Machine Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

What happened is both authorization rules do not get selected and set the default one to allow access and it is the one that gets used.

Thanks

CreatePlease to create content