06-03-2013 02:43 AM - edited 07-04-2021 12:10 AM
Hi all
I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?
Thanks
V
06-03-2013 02:55 AM
Hi, that's correct, the only changes you need are in IAS / AD.
Depending if you're doing Machine and User authentication, or Machine-only authentication, the answer differs slightly.
For Machine and User, all you need to do us update IAS to permit members of the "Domain Computers" or "Domain Users" security groups. This will allow any AD-Registered User or Computer to authenticate. You can of course use different, more restrictrictive, Groups should you wish.
If you're doing Machine-only authentication, you'll need to configure IAS to only accept accounts that are a member of the "Domain Computers" group, and then using your Active Directory Domain Security Policy, you have to configure your Clients to perform "Machine Only" authentication. If you have Win7 Clients you can also configure this manually via the WLAN settings under the Security > Advanced Settings > 802.1X Settings > "Specify authentication mode: Computer Authentication" option.
Rich
06-03-2013 03:02 AM
Hi Richard
Thanks with your answer. So, I may ask you more question as if our client using XP, is it possible to support machine authentication?. As my understand we using compurter or user for authentication then, i must configure Domain Computer and Domain User, correct? One thing if our client are in sub folder such as Wireless Staff, So, in my group policy must add Domain computer and Wireless Staff or Domain computer, Domain User, Wireless Staff ? which on to add in group policy?
Thanks
V
06-03-2013 03:03 AM
In addition to what Rich suggested, machine authentication would appear as host/machine-name in the logs so if want you may add another condition where you may use username starts with host/ . really unsure if you have this attribute or condition in IAS remote access policy.
Also, in order to configure end-points to initiate only machine authentication, if you are using Windows XP SP2,
you've to do reg hack and in case of windows xp sp3 or vista, you need to create XML profile.
Jatin Katyal
- Do rate helpful posts -
06-03-2013 03:10 AM
Hi Jatin
I may not understand clearly so, can you explain me in deep? coz as i understand that we can do machine authentication with IAS ( Cisco Infra ) also. But I may not sure i am lose anything on IAS. T_T
Thanks
V
06-03-2013 03:18 AM
Which part is not clear, so that we can only talk about that feature/section?
I'll be away for an hour but will reply back soon.
Jatin Katyal
- Do rate helpful posts -
06-03-2013 03:22 AM
Hi Ittichai,
I agree with Jatin, can you be more specific about what you want to know?
Failing that, if you're unfamiliar with IAS and configuring it for WLAN stuff, you might do well to start here;
http://technet.microsoft.com/en-us/library/cc756924%28v=ws.10%29.aspx
Richard
06-03-2013 03:26 AM
Hi All
I would like to say Thanks with your help so, i need to know the configuration and the idea for machine authentication
I may explain what I am understand with Machine authentication on IAS
We need to configure Group Policy on IAS ( Domain User and Computer) if we have computer authentication and user authentication. So, on the controller i do not need to do any thing except 802.1x configure. On the client, my client have join the domain and using PEAP authentication(Window XP). Normally it should pass machine and user authentication, correct? (Not concern about certificate)
Thanks
V
06-03-2013 04:31 AM
On the WLC you do nothing. It's configured as 802.1x as any EAP authentication method. On IAS, you policy points to the Computer Group and since your using Windows XP, you need to change a registry value to 2 to perform machine authentication. By default, Windows XP doesn't send machine authentication. Windows 7 is different.
http://support.microsoft.com/kb/929847
To set the value of the AuthMode registry entry for Windows XP SP3 wireless connections, follow these steps:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
Double-click AuthMode, type the authentication mode in the Value box, and then click OK.
Exit Registry Editor.
Restart the computer.
The AuthMode registry entry is only valid for Windows XP SP3 wireless network connections. The following table lists the authentications mode for each value of the AuthMode registry entry.
Value Authentication mode
0 Use the default Windows XP authentication
1 Always perform user authentication when a user logs on
2 Perform computer authentication only
Sent from Cisco Technical Support iPhone App
06-03-2013 04:40 AM
Hi Scott
Can I using Computer Authentication + User Authentication in the same time? from value 0-2 i do not see the message computer + user authentication together. Can it be ?
Thanks
V
06-03-2013 04:42 AM
No... You can't even use that on windows 7 as it is user or computer not user and computer. It's one or the other.
Sent from Cisco Technical Support iPhone App
06-03-2013 04:43 AM
It's how the windows operating system is designed. There is nothing you can do on the WLC or the IAS server to change that.
Sent from Cisco Technical Support iPhone App
06-03-2013 05:29 AM
Hi Scott and Everyone
Thanks with your support
So, in the design from the customer, they need block private notebook via using machine authentication method otherwise using the username/password on the AD. In this senario can it be ?
Thanks
V
06-03-2013 05:33 AM
You only can pick one. You either do machine authentication which will only allow domain computers or you use PEAP with username and password, but you can't control if personal devices connect. The only other option is to look at Cisco ISE which can profile devices but that will cost money. In your senerio, you have only two choices since you are using IAS.
Sent from Cisco Technical Support iPhone App
06-03-2013 05:44 AM
Hi Scott
I am clear that is bad new for us because our customer told me that aruba can do this in the same system. It seem like aruba have feature firewall and policy to do something that will check machine authentication and username/password. If it is not match the policy it will reject the client.
T_T
THanks
V
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: