Re: Machine Authentication with IAS (2003 Server) - Page 2

ittichai_a · ‎06-03-2013

Hi all

I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?

Thanks

V

Jatin Katyal · ‎06-03-2013

We can perform machine and user authentication in sequence.

I know how to configure conditions on ACS 4.x, 5.x and ISE 1.x and they are well capable of checking both the authentications ( Machine and User). This feature is called MAR

In case you wish to study more about this feature.

Machine access restriction ( Machine and user authentication)

http://tools.cisco.com/squish/58323

The User or computer authentication actually sends a wrong message with windows 7 network settings. I've seen this working in so many deployments. This actually works with Windows XP and 7 both.

Anyways, just my 2 cents…

Jatin Katyal
- Do rate helpful posts -

~Jatin

Scott Fella · ‎06-03-2013

Well that's Aruba and again, what they are doing is depending on the machine to get logged on first and then they cache that just like ACS would do and then the windows machine sends the user credentials after that. You have IAS.... Your limited to what you can do and what the client sends. By the way, they are probably also talking about using ClearPass not IAS.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎06-03-2013

Yeah but that's using MARs and then you have to deal with the timeouts. I've tested that and really didn't like the outcome:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Jatin Katyal · ‎06-03-2013

This is a very common feature we work with. With Cisco radius server, it work like charm. If we have all the certificates in place with required configuration, we won't face any issues. I never configured this feature on IAS however, I can dig into later today and can try.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Scott Fella · ‎06-03-2013

IAS doesn't support this. ACS does though using MARs.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Richard Atkin · ‎06-03-2013

Could always look at EAP-Chaining which allows you to use Machine Auth and User Auth at the same time, but it also requires a Cisco RADIUS Server and the Cisco AnyConnect Agent on the Client?...

Scott Fella · ‎06-03-2013

This is supported on the later versions of ISE and AnyConnect. The issue is they have IAS:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Richard Atkin · ‎06-03-2013

Buy ISE!

ittichai_a · ‎06-04-2013

Hi All

I would like to say thank you for your information. So, I may summarize that i cannot do customer' senario with IAS. So, if I need , i may buy ISE to do it (Seem like BYOD) ^_^ i think. Also, machine authentication, yes !! we can do it by IAS but cannot control or block priviate device. Anyway it seem like ISE or BYOD solution is the best way to get..

Thanks all you guy !!

V

Scott Fella · ‎06-04-2013

Yes, ISE is the only way to go with the requirements your customers has. Your very limited in what you can do when you compare It to ISE.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***