06-03-2013 02:43 AM - edited 07-04-2021 12:10 AM
Hi all
I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?
Thanks
V
06-03-2013 06:10 AM
We can perform machine and user authentication in sequence.
I know how to configure conditions on ACS 4.x, 5.x and ISE 1.x and they are well capable of checking both the authentications ( Machine and User). This feature is called MAR
In case you wish to study more about this feature.
Machine access restriction ( Machine and user authentication)
http://tools.cisco.com/squish/58323
The User or computer authentication actually sends a wrong message with windows 7 network settings. I've seen this working in so many deployments. This actually works with Windows XP and 7 both.
Anyways, just my 2 cents…
Jatin Katyal
- Do rate helpful posts -
06-03-2013 06:15 AM
Well that's Aruba and again, what they are doing is depending on the machine to get logged on first and then they cache that just like ACS would do and then the windows machine sends the user credentials after that. You have IAS.... Your limited to what you can do and what the client sends. By the way, they are probably also talking about using ClearPass not IAS.
Sent from Cisco Technical Support iPhone App
06-03-2013 06:13 AM
Yeah but that's using MARs and then you have to deal with the timeouts. I've tested that and really didn't like the outcome:)
Sent from Cisco Technical Support iPhone App
06-03-2013 06:17 AM
This is a very common feature we work with. With Cisco radius server, it work like charm. If we have all the certificates in place with required configuration, we won't face any issues. I never configured this feature on IAS however, I can dig into later today and can try.
Jatin Katyal
- Do rate helpful posts -
06-03-2013 06:37 AM
IAS doesn't support this. ACS does though using MARs.
Sent from Cisco Technical Support iPhone App
06-03-2013 06:36 AM
Could always look at EAP-Chaining which allows you to use Machine Auth and User Auth at the same time, but it also requires a Cisco RADIUS Server and the Cisco AnyConnect Agent on the Client?...
06-03-2013 06:38 AM
This is supported on the later versions of ISE and AnyConnect. The issue is they have IAS:)
Sent from Cisco Technical Support iPhone App
06-03-2013 06:43 AM
Buy ISE!
06-04-2013 12:55 AM
Hi All
I would like to say thank you for your information. So, I may summarize that i cannot do customer' senario with IAS. So, if I need , i may buy ISE to do it (Seem like BYOD) ^_^ i think. Also, machine authentication, yes !! we can do it by IAS but cannot control or block priviate device. Anyway it seem like ISE or BYOD solution is the best way to get..
Thanks all you guy !!
V
06-04-2013 03:44 AM
Yes, ISE is the only way to go with the requirements your customers has. Your very limited in what you can do when you compare It to ISE.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide