Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1086
Views
0
Helpful
5
Replies

Cisco AnyConnect NAM User vs. Machine Auth

Go to solution
rleivaoc
Cisco Employee
Cisco Employee

‎08-14-2012 03:10 PM - edited ‎07-03-2021 10:31 PM

Hello Everyone,

I am trying to understand the difference between User and Machine Authentication. The real question is what gets sent when I use machine Auth? Is it the hosts Mac address, or host name when I first plug in to a 802.1x enabled port? I want to understand the process it takes, and the use cases.

For user Auth I also want to understand the process as well on what information is passed when plugged into a 802.1x enabled port.

Thanks,

Rafael

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to rleivaoc

‎08-14-2012 03:33 PM

The fqdn is sent in the format of host/machinename.yourdomain.com I have not worked with freeradius to know if there is a machine access restriction feature. Cisco ACS also uses tacacs which isnt available in freeradius so there is much more to ACS then just radius.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-14-2012 03:20 PM

Hi,

Machine authentication is when the computer itself authenticates, that can be done via peap or eap-tls (if certificates are deployed) the peap credentials are exchanged by the computer and the domain controller (kdc). So machine credentials get sent (username is the name of your computer hence that is one reason computer accounts have to be unique).

User authentication is the domain account that you use to login into the device.

The use case with machine authentication is to make things more simple, so that users do not have enter their credentials, or too add security when you combine machine authentication with user authentication. Cisco ACS and ISE have a feature called machine access restrictions which can restrict user authentications through a machine that has succeeded machine authentication (this prevents apple devices, and other devices from getting access to the network).

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
rleivaoc
Cisco Employee
Cisco Employee

‎08-14-2012 03:30 PM

Thanks for the reply. So with machine Auth the host name is sent or the full fqdn? No user password input is require for what you telling me right? Also is this feature more of a ACS feature or can it be used with plain radius like freeradius?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to rleivaoc

‎08-14-2012 03:33 PM

The fqdn is sent in the format of host/machinename.yourdomain.com I have not worked with freeradius to know if there is a machine access restriction feature. Cisco ACS also uses tacacs which isnt available in freeradius so there is much more to ACS then just radius.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to rleivaoc

‎08-14-2012 03:38 PM

I'm hurt Don Rafael. You could have just called/emailed me. Hahahaha

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
rleivaoc
Cisco Employee
Cisco Employee

‎08-14-2012 03:44 PM

: )

Sent from Cisco Technical Support iPhone App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card