cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1749
Views
0
Helpful
24
Replies

Machine Authentication with IAS (2003 Server)

ittichai_a
Level 1
Level 1

Hi all

I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?

Thanks

V

24 Replies 24

Richard Atkin
Level 4
Level 4

Hi, that's correct, the only changes you need are in IAS / AD.

Depending if you're doing Machine and User authentication, or Machine-only authentication, the answer differs slightly.

For Machine and User, all you need to do us update IAS to permit members of the "Domain Computers" or "Domain Users" security groups.  This will allow any AD-Registered User or Computer to authenticate.  You can of course use different, more restrictrictive, Groups should you wish.

If you're doing Machine-only authentication, you'll need to configure IAS to only accept accounts that are a member of the  "Domain Computers" group, and then using your Active Directory Domain Security Policy, you have to configure your Clients to perform "Machine Only" authentication.  If you have Win7 Clients you can also configure this manually via the WLAN settings under the Security > Advanced Settings > 802.1X Settings > "Specify authentication mode: Computer Authentication" option.

Rich

Hi Richard

Thanks with your answer. So, I may ask you more question as if our client using XP, is it possible to support machine authentication?. As my understand we using compurter or user for authentication then, i must configure Domain Computer and Domain User, correct? One thing if our client are in sub folder such as Wireless Staff, So, in my group policy must add Domain computer and Wireless Staff or Domain computer, Domain User, Wireless Staff ? which on to add in group policy?

Thanks

V

Jatin Katyal
Cisco Employee
Cisco Employee

In addition to what Rich suggested, machine authentication would appear as host/machine-name in the logs so if want you may add another condition where you may use username starts with host/ . really unsure if you have this attribute or condition in IAS remote access policy.

Also, in order to configure end-points to initiate only machine authentication, if you are using Windows XP SP2,

you've to do reg hack and in case of windows xp sp3 or vista, you need to create XML profile.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hi Jatin

I may not understand clearly so, can you explain me in deep? coz as  i understand that we can do machine authentication with IAS ( Cisco Infra ) also. But I may not sure i am lose anything on IAS. T_T

Thanks

V

Which part is not clear, so that we can only talk about that feature/section?

I'll be away for an hour but will reply back soon.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hi Ittichai,

I agree with Jatin, can you be more specific about what you want to know?

Failing that, if you're unfamiliar with IAS and configuring it for WLAN stuff, you might do well to start here;

http://technet.microsoft.com/en-us/library/cc756924%28v=ws.10%29.aspx

Richard

Hi All

I would like to say Thanks with your help so, i need to know the configuration and the idea for machine authentication

I may explain what I am understand with Machine authentication on IAS

We need to configure Group Policy on IAS ( Domain User and Computer) if we have computer authentication and user authentication. So, on the controller i do not need to do any thing except 802.1x configure. On the client, my client have join the domain and using PEAP authentication(Window XP). Normally it should pass machine and user authentication, correct? (Not concern about certificate)

Thanks

V

Scott Fella
Hall of Fame
Hall of Fame

On the WLC you do nothing. It's configured as 802.1x as any EAP authentication method. On IAS, you policy points to the Computer Group and since your using Windows XP, you need to change a registry value to 2 to perform machine authentication. By default, Windows XP doesn't send machine authentication. Windows 7 is different.

http://support.microsoft.com/kb/929847

To set the value of the AuthMode registry entry for Windows XP SP3 wireless connections, follow these steps:
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
Double-click AuthMode, type the authentication mode in the Value box, and then click OK.
Exit Registry Editor.
Restart the computer.
The AuthMode registry entry is only valid for Windows XP SP3 wireless network connections. The following table lists the authentications mode for each value of the AuthMode registry entry.
Value Authentication mode
0 Use the default Windows XP authentication
1 Always perform user authentication when a user logs on
2 Perform computer authentication only


Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott

Can I using Computer Authentication + User Authentication in the same time? from value 0-2 i do not see the message computer + user authentication together. Can it be ?

Thanks

V

No... You can't even use that on windows 7 as it is user or computer not user and computer. It's one or the other.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame
Hall of Fame

It's how the windows operating system is designed. There is nothing you can do on the WLC or the IAS server to change that.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott and Everyone

Thanks with your support

So, in the design from the customer, they need block private notebook via using machine authentication method otherwise using the username/password on the AD. In this senario can it be ?

Thanks

V

You only can pick one. You either do machine authentication which will only allow domain computers or you use PEAP with username and password, but you can't control if personal devices connect. The only other option is to look at Cisco ISE which can profile devices but that will cost money. In your senerio, you have only two choices since you are using IAS.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott

I am clear that is bad new for us because our customer told me that aruba can do this in the same system. It seem like aruba have feature firewall and policy to do something that will check machine authentication and username/password. If it is not match the policy it will reject the client.

T_T

THanks

V

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: