cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8202
Views
0
Helpful
34
Replies

Limit acces to computers in AD domain

don_henry
Level 1
Level 1

We have

ACS 5.2, WLC 5500, and we have been unable to limit our access service to

machine authentication against AD. This is resulting in other

unintended devices being allowed access to the WLAN, users simply accept the cert and are allowed access. How can I prevent

non-domain devices? or test the device for domain membership?

Thanks

1 Accepted Solution

Accepted Solutions

Go to the "authorization" menu of your access service, and hit "Customize" on the bottom right.

It allow you to add different sort of conditions. You should have "was machine authenticated" there if I'm not mistaken

View solution in original post

34 Replies 34

Nicolas Darchis
Cisco Employee
Cisco Employee

Configure both machine and user authentication on the clients.

On ACS, add a condition to your access policy (was machine authenticated=true) to force clients to be machine authenticated before and you should be good to go !

Configuring the condition on the ACS is the problem I am having. I have not been able to find where or how to add the "was machine authenticated condition". I have looked under Standard policy and exception policy but the ACS does not present those conditions. I only get in or not in under identity group. Do you know which menu I would find the condtions??

Go to the "authorization" menu of your access service, and hit "Customize" on the bottom right.

It allow you to add different sort of conditions. You should have "was machine authenticated" there if I'm not mistaken

Thanks for the insight. I have it working partially, we have two laptops both dell one is a e6410 the other d630. The D630 works but the E6410 does not.

The client settings are identical. We are seeing the following error on the ACS:

Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure.
Any Ideas on what might cause this condition?

D

Well I thought the issue was resolved but apparently it is not. We have user Auth against the directory working fine but when we

try to do machine auth it consistently fails even with the

was machine authenticated setting as previously suggested. Not sure

why we are having so much trouble. We are using PEAP, mschapv2, and eventually would like to use smart cards.

We have one Rule with ad:external point to both users and an OU with computers, was machine authenticated= true

not sure where to look next??

don_henry
Level 1
Level 1

Well I thought the issue was resolved but apparently it is not. We have user Auth against the directory working fine but when we

try to do machine auth it consistently fails even with the

was machine authenticated setting as previously suggested. Not sure

why we are having so much trouble.  We are using PEAP, mschapv2, and eventually would like to use smart cards.

We have one Rule with ad:external point to both users and an OU with computers, was machine authenticated= true

not sure where to look next??

You say that machine authentication fails ?

Then the next step is to understand why it fails (monitoring and report)

If your point was that a non-domain laptop can also user authenticate, then it's another story.

Nicolas here is what we are seeing in the log everything in the steps prior is successful

Evaluating Group Mapping Policy

11824 EAP-MSCHAP authentication attempt passed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814 Inner EAP-MSCHAP authentication succeeded

11519 Prepared EAP-Success for inner EAP method

12314 PEAP inner method finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12306 PEAP authentication succeeded

11503 Prepared EAP-Success

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

Here is the rule we have set and Have only one access service running

contains any (mydomain.net/Users/Domain Users; mydomain.net/enterprise/workstations) -ANY- = True Permit Access 13

The above means that there was no machine authentication before probably.

do you see a machine authentication attempt from that workstation ?

If not, it may be on the workstation itself that config needs a look.

Hi

I have a similar problem. I have added an authorization rule of the access service and selected "was machine authenticated=True" and "contains any(mydomain.net/Domain users;mydomain.net/Domain computers)"

BUT this authorization rule NEVER get used and instead the flow goes the default one which I set to permit access.

Any help is greatly appreciated.

Raoul

Scott Fella
Hall of Fame
Hall of Fame

What radius server are you using?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott

I am using cisco acs 5.1. I have

-Joined the ACS to AD and enable Machine Auth and MAR, select both user and machine groups in the Directory Groups

-Created an access policy, enable PEAP-MSCHAPv2/Process Host Lookup, define conditions by using Identity Group and Was Machine Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

What happened is both authorization rules do not get selected and set the default one to allow access and it is the one that gets used.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: