Peap Machine authentication in ACS v4.2

grabonlee · ‎07-27-2011

I noticed that one of my colleagues could was able to authenticate to the enterprise wireless with his domain account on his iphone, despite that Peap machine authentication is enabled on the ACS. This is strange since the iphone is definitely not in the computer OU of the Domain controller. How can machine authentication be enforced so that both user account and machine account are prerequisites to gain access to the wireless network.

Surendra BG · ‎07-27-2011

Thats means... the clients is able to connect into the network with the guest account is it??

DO the below and see if that helps..

WLC GUI >> WLANs >> WLAN ID >> EDIT >> Security >> Advanced >> Authentication priority for web auth users >> Just USE RADIUS and remove LDAP and LOCAL from the list.

Lemme know if this helps!!

Regards

Surendra

Regards
Surendra BG

grabonlee · ‎07-28-2011

You obviously got the concept wrong. These are not guest users. My Guest SSID is on a DMZ and no unauthorised person can get to it. The enterprise SSID uses PEAP with authenticates against the Active Directory. Hence, a user has to have an account in the domain. The issue is that a member of staff was able to log in through his Iphone using his authroised domain account. However, I would have expected a rejection since the Iphone MAC add is not registered in the domain but the user account is.

grabonlee · ‎07-28-2011

Update,

I noticed that the ACS authenticated the users because they had their accounts in the ACS, but password requirement set to Windows Database. Under unknown user policy, I have it set to verify through AD. Tested with an account that was not in ACS but configured in AD, and the authentication failed. That is fine, but the flaw here is that if I have members of staff who have an account in ACS, I can't control what devices they use on the wireless as the ACS will allow authentication.