07-27-2011 11:33 AM - edited 07-03-2021 08:29 PM
I noticed that one of my colleagues could was able to authenticate to the enterprise wireless with his domain account on his iphone, despite that Peap machine authentication is enabled on the ACS. This is strange since the iphone is definitely not in the computer OU of the Domain controller. How can machine authentication be enforced so that both user account and machine account are prerequisites to gain access to the wireless network.
07-27-2011 05:23 PM
Thats means... the clients is able to connect into the network with the guest account is it??
DO the below and see if that helps..
WLC GUI >> WLANs >> WLAN ID >> EDIT >> Security >> Advanced >> Authentication priority for web auth users >> Just USE RADIUS and remove LDAP and LOCAL from the list.
Lemme know if this helps!!
Regards
Surendra
07-28-2011 04:11 AM
You obviously got the concept wrong. These are not guest users. My Guest SSID is on a DMZ and no unauthorised person can get to it. The enterprise SSID uses PEAP with authenticates against the Active Directory. Hence, a user has to have an account in the domain. The issue is that a member of staff was able to log in through his Iphone using his authroised domain account. However, I would have expected a rejection since the Iphone MAC add is not registered in the domain but the user account is.
07-28-2011 08:42 AM
Update,
I noticed that the ACS authenticated the users because they had their accounts in the ACS, but password requirement set to Windows Database. Under unknown user policy, I have it set to verify through AD. Tested with an account that was not in ACS but configured in AD, and the authentication failed. That is fine, but the flaw here is that if I have members of staff who have an account in ACS, I can't control what devices they use on the wireless as the ACS will allow authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide