06-10-2011 08:15 AM - edited 07-03-2021 08:18 PM
Hi,
what does Enable PEAP machine authentication mean on the ACS server ?
we are having a training center where we use certificates for any laptop (domain laptops) to join our wireless network. just wondering is there any possiblitly for any laptop (not on domain) to join without having the certificates ? say for example any android or iphone, is it possible to join the wireless network without having hte certificates ?
Thanks
Solved! Go to Solution.
06-20-2011 11:58 PM
" Peap machine authentication " - it means that ACS will authenticate those machine [host machines], which are a part of domain. The Iphone or Ipads cannot be a part of domain, therefore, they do not fall under machine-authentication.
If peap machine authentication is enabled on ACS server, then no non-domain laptop can access network.
For better security of wireless network, both machine and certificate authentication is enabled on ACS server.
Let me know if it helps.
thanks
Devashree
06-21-2011 05:54 AM
If you enable PEAP authentication non-domain PCs can authenticate to the network provided they have the correct root cert installed (if you buy a cert from most providers this shouldn't be a problem).
Enabling MAR will prevent PCs that are not domain members from authenticating to the network, period.
06-21-2011 07:00 AM
External User Database, Database Configuration, Windows Database, Configure. Scroll down to Windows EAP settings and check the "Enable machine access restrictions".
It looks like I was slightly incorrect when I said a machine that is blocked by MAR has no access, if the user credentials are valid but the machine would be blocked by MAR then access can be granted by using the Group Map.... drop down to select an ACS group. The access the user then gets is controlled by the access permissions of that group so you should be able to make it pretty granular ad have it so an authenticated user on an authenticated machine = full access, authenticated user on an MAR-blocked machine = limited access.
It is also possible to create machine accounts in Windows AD for machines that don't normally have one such as Apple MACs, this then allows them to pass the MAR check.
From the ACS help system:
06-13-2011 02:03 AM
any thoughts on the above ?
06-13-2011 01:09 PM
Sorry, I can't speak for ACS as that's outside my knowledge base...
but certificates are optional on PEAP.... so my answer would be "yes", a PEAP client without a certificate would be able to authenticate to the network...
Perhaps that is what the ACS option is for - to force using a certificate.. again, just a guess on my part
06-14-2011 07:36 AM
One way round this is to enable Machiine Access Restrictions. This will prevent any device that does not have a Windows Domain machine account (non-domain laptops, iPhones, iPads, etc) from authenticating even if it has a valid certificate and user credentials. You can enable this under the External Databases, Windows User Database Configuration. It's a tick box in the Windows EAP Settings section.
06-14-2011 08:53 AM
Thanks for the replies...
so could you please let me know how can i use a non domain device to join the wireless network without a certificate?
@andrew.brazier - i was told this option for not allowing iphones or ipads to join the network by using Machine Access Restictions - can you please let me know more about this feature and how it works
so in theory i would like to know how to join a non domain laptop to a wireless netowrk without certificates and how to prevent this as well (using MAR)
Thanks
06-20-2011 11:58 PM
" Peap machine authentication " - it means that ACS will authenticate those machine [host machines], which are a part of domain. The Iphone or Ipads cannot be a part of domain, therefore, they do not fall under machine-authentication.
If peap machine authentication is enabled on ACS server, then no non-domain laptop can access network.
For better security of wireless network, both machine and certificate authentication is enabled on ACS server.
Let me know if it helps.
thanks
Devashree
06-21-2011 02:41 AM
Thanks for your reply..
so if i enable peap machine authentication, are you saying no non domain laptops can access the network even if it has the certificates?
in short, i would like to know what is peap authentication and will it work on non domain laptops with or without certifcates ? and what is MAR and how does it work
sorry just being confused with this?
Thanks
06-21-2011 05:54 AM
If you enable PEAP authentication non-domain PCs can authenticate to the network provided they have the correct root cert installed (if you buy a cert from most providers this shouldn't be a problem).
Enabling MAR will prevent PCs that are not domain members from authenticating to the network, period.
06-21-2011 06:17 AM
thanks for the explanation...
Could you please also expain how to implement MARS. i know there is an option on the ACS to check this. do you have to do anything other than this ? and what meant by aging time that is specified with MAR..
06-21-2011 07:00 AM
External User Database, Database Configuration, Windows Database, Configure. Scroll down to Windows EAP settings and check the "Enable machine access restrictions".
It looks like I was slightly incorrect when I said a machine that is blocked by MAR has no access, if the user credentials are valid but the machine would be blocked by MAR then access can be granted by using the Group Map.... drop down to select an ACS group. The access the user then gets is controlled by the access permissions of that group so you should be able to make it pretty granular ad have it so an authenticated user on an authenticated machine = full access, authenticated user on an MAR-blocked machine = limited access.
It is also possible to create machine accounts in Windows AD for machines that don't normally have one such as Apple MACs, this then allows them to pass the MAR check.
From the ACS help system:
06-21-2011 07:13 AM
thanks for the reply
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide