02-25-2012 12:39 PM - edited 07-03-2021 09:39 PM
Hello,
I'm looking for a solution to block iphones and other devices that are not part of the domain.
We are using 802.1x PEAP authentication with NPS to authenticate the users. This is working fine but the problem is that
a user can use his userID and password to logon with another device that is not part of fomain.
NPS does not seem to be able to force machine authentication+user authentication at the same time like ACE can do.
Does anyone know a solution that can do this with microsoft NPS without having to buy ACS or ISE?
Thanks
SR
02-25-2012 12:55 PM
SR,
It seems like the only way to do what you want is to use machine authentication and not use PEAP with username and password. You mentioned that you only want domain devices on the network, so it seems like machine authentication will be your best bet.
07-17-2012 02:32 PM
Even we found out that NPS server can either do machine authentication or user authentication but not both at the same time. If ACS server can do it then why can't NPS server.
We have enabled machine authentication for domain enterprise users and it keeps personal iPAD / iPHONES away from our network.
But how do we accommodate iPads issued to executives who would like to connect to domain enterprise network. They are an object in Active Directory.
iPads are only capable of passing user / password. They cannot pass machine credentials.
How secure is MAC addres filters or ISE is the answer.
Ds
07-18-2012 05:04 AM
ISE is the answer, because you can profile and then look at the device to determine if the device is allowed or not. ACS does MAR, which is a workaround in my book and isn't suggested. The issue is a wired device that goes wireless, and vice versa, is not seen by ACS as machine authenticated when tey switch from wired to wireless or the other way around. Also, MAR has a time value, so when that value4 expires, any reauth, the client needs to reboot.
07-27-2012 02:54 PM
Thanks Scott. We are evaluating ISE in our LAB environment. Out of curiosity would you know the technical reason why NPS can’t handle user & machine authentication both at the same time?
Ds
07-27-2012 06:18 PM
It's not NPS. It's Microsoft:) Windows 7 only does user OR machine, not both.
Sent from Cisco Technical Support iPhone App
08-24-2012 12:49 PM
Scott,
We are planning to use a supplicant recommended by Cisco know as NAM (Network Access Manager) part of "Cisco Any Connect Mobility Client".
Using "Any Connect Profile Editor" we an create an .XML file and can pass both Machine & User Credentials.
Will the NPS server be able to handle it then?
Let me know if you have something like this?
Ds
08-24-2012 12:52 PM
Well, with windows, one superseceds the other. But doing machine authentication doesn't keep iOS devices off of the network. ISE with profiling to deny if iOS or not part of the domain would be the better way to go.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
08-24-2012 08:13 PM
I dont know if that will work with NPS or not. That might be a feature for use with ISE.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide