cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1964
Views
0
Helpful
10
Replies

peap authententication

Network Pro
Level 1
Level 1

Hi,

what does Enable PEAP machine authentication mean on the ACS server ?

we are having a training center where we use certificates for any laptop (domain laptops) to join our wireless network. just wondering  is there any possiblitly for any laptop (not on domain) to join without having the certificates ? say for example any android or iphone, is it possible to join the wireless network without having hte certificates ?

Thanks

3 Accepted Solutions

Accepted Solutions

" Peap machine authentication " - it means that ACS will authenticate those machine [host machines], which are a part of domain. The Iphone or Ipads cannot be a part of domain, therefore, they do not fall under machine-authentication.

If peap machine authentication is enabled on ACS server, then no non-domain laptop can access network.

For better security of wireless network, both machine and certificate authentication is enabled on ACS server.

Let me know if it helps.

thanks

Devashree

View solution in original post

If you enable PEAP authentication non-domain PCs can authenticate to the network provided they have the correct root cert installed (if you buy a cert from most providers this shouldn't be a problem).

Enabling MAR will prevent PCs that are not domain members from authenticating to the network, period.

View solution in original post

External User Database, Database Configuration, Windows Database, Configure. Scroll down to Windows EAP settings and check the "Enable machine access restrictions".

It looks like I was slightly incorrect when I said a machine that is blocked by MAR has no access, if the user credentials are valid but the machine would be blocked by MAR then access can be granted by using the Group Map.... drop down to select an ACS group. The access the user then gets is controlled by the access permissions of that group so you should be able to make it pretty granular ad have it so an authenticated user on an authenticated machine = full access, authenticated user on an MAR-blocked machine = limited access.

It is also possible to create machine accounts in Windows AD for machines that don't normally have one such as Apple MACs, this then allows them to pass the MAR check.

From the ACS help system:

  • Aging time (hours)—The number of hours that Cisco Secure ACS  caches a successful machine authentication. For as long as successful  machine authentication is retained in the cache, the machine access  restrictions feature can use it to determine whether to limit a user to  the group specified in the group mapping list, below.
  • Group map for successful user authentication without machine authentication—When  the machine access restrictions feature is enabled, this list specifies  the user group whose authorizations are applied to an EAP-TLS or  Microsoft PEAP user who passes authentication but uses a computer that  failed machine authentication.

View solution in original post

10 Replies 10

Network Pro
Level 1
Level 1

any thoughts on the above ?

Sorry, I can't speak for ACS as that's outside my knowledge base...

but certificates are optional on PEAP.... so my answer would be "yes", a PEAP client without a certificate would be able to authenticate to the network...

Perhaps that is what the ACS option is for - to force using a certificate.. again, just a guess on my part

.....dennis.kline@yahoo.com...(It takes an Act of God to fade a wireless path, but any fool with a backhoe can cut fiber)

andrew.brazier
Level 4
Level 4

One way round this is to enable Machiine Access Restrictions. This will prevent any device that does not have a Windows Domain machine account (non-domain laptops, iPhones, iPads, etc) from authenticating even if it has a valid certificate and user credentials. You can enable this under the External Databases, Windows User Database Configuration. It's a tick box in the Windows EAP Settings section.

Thanks for the replies...

so could you please let me know how can i use a non domain device to join the wireless network without a certificate?

@andrew.brazier - i was told this option for not allowing iphones or ipads to join the network by using Machine Access Restictions - can you please let me know more about this feature and how it works

so in theory i would like to know how to join a non domain laptop to a wireless netowrk without certificates and how to prevent this as well (using MAR)

Thanks

" Peap machine authentication " - it means that ACS will authenticate those machine [host machines], which are a part of domain. The Iphone or Ipads cannot be a part of domain, therefore, they do not fall under machine-authentication.

If peap machine authentication is enabled on ACS server, then no non-domain laptop can access network.

For better security of wireless network, both machine and certificate authentication is enabled on ACS server.

Let me know if it helps.

thanks

Devashree

Thanks for your reply..

so if i enable peap machine authentication, are you saying no non domain laptops can access the network even if it has the certificates?

in short, i would like to know what is peap authentication and will it work on non domain laptops with or without certifcates ? and what is MAR and how does it work

sorry just being confused with this?

Thanks

If you enable PEAP authentication non-domain PCs can authenticate to the network provided they have the correct root cert installed (if you buy a cert from most providers this shouldn't be a problem).

Enabling MAR will prevent PCs that are not domain members from authenticating to the network, period.

Network Pro
Level 1
Level 1

thanks for the explanation...

Could you please also expain how to implement MARS. i know there is an option on the ACS to check this. do you have to do anything other than this ? and what meant by aging time that is specified with MAR..

External User Database, Database Configuration, Windows Database, Configure. Scroll down to Windows EAP settings and check the "Enable machine access restrictions".

It looks like I was slightly incorrect when I said a machine that is blocked by MAR has no access, if the user credentials are valid but the machine would be blocked by MAR then access can be granted by using the Group Map.... drop down to select an ACS group. The access the user then gets is controlled by the access permissions of that group so you should be able to make it pretty granular ad have it so an authenticated user on an authenticated machine = full access, authenticated user on an MAR-blocked machine = limited access.

It is also possible to create machine accounts in Windows AD for machines that don't normally have one such as Apple MACs, this then allows them to pass the MAR check.

From the ACS help system:

  • Aging time (hours)—The number of hours that Cisco Secure ACS  caches a successful machine authentication. For as long as successful  machine authentication is retained in the cache, the machine access  restrictions feature can use it to determine whether to limit a user to  the group specified in the group mapping list, below.
  • Group map for successful user authentication without machine authentication—When  the machine access restrictions feature is enabled, this list specifies  the user group whose authorizations are applied to an EAP-TLS or  Microsoft PEAP user who passes authentication but uses a computer that  failed machine authentication.

thanks for the reply

Review Cisco Networking for a $25 gift card