Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15169
Views
4
Helpful
49
Replies

PEAP User + Machine Authentication

sreejith_r
Level 1
Level 1

‎01-03-2012 06:18 AM - edited ‎07-03-2021 09:19 PM

Hi ;

   I tried PEAP machine and user authentication together with acs 5.3.  But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.

Is there any way to enforce both authentications.

Best Regards

Sreejith R

Labels:
0 Helpful
49 Replies 49

ohansen
Level 1
Level 1

‎01-17-2012 03:25 PM

[Editing the article heavily since I found the MS KB article below after my first post]

I'm struggeling with exactly the same issue, if I select "user or computer" authentication the Windows 7 client will never attempt machine authentication when the user is logged in, and unless i set the wireless profile to auto-connect then basically it will never attempt machine authentication. I found the following Microsoft article which explains how the wireless profile settings works these days: http://support.microsoft.com/kb/929847

machineOrUserUse computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication

Let's assume the MAR has timed out: if I keep "user or computer" selected access fails, because "was machine authenticated=true" is selected. If I then select "computer authentication" and try again it succeeds, and from then if I select "user or computer" it will succeed again and will continue to succeed, doing only user authentication - until the MAR timeout...

Of course I could set the wireless profile to auto-connect, and reboot the laptop, but expecting users to have to reboot their system to be able to do machine authentication, or having the MAR randomly time out the cached machine authentication (for users who only suspend their laptops) is definitely not something that's going to be acceptable for a production deployment.

Looking at the RFCs the authenticator is supposed to tell the client what it expects, for example RFC2284:

     After the Link Establishment phase is complete, the authenticator
      sends one or more Requests to authenticate the peer.  The Request
      has a type field to indicate what is being requested.  Examples of
      Request types include Identity,  MD5-challenge, One-Time
      Passwords, Generic Token Card, etc.  The MD5-challenge type
      corresponds closely to the CHAP authentication protocol.
      Typically, the authenticator will send an initial Identity Request
      followed by one or more Requests for authentication information.

I'm leaning towards believing it's really the Cisco side that's supposed to tell the Windows 7 supplicant what it needs, instead of Microsoft dictating how it does its machine vs. user authentication, and that policy should be maintained in ACS. Any thoughts, anyone?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to ohansen

‎01-18-2012 04:59 AM

From my testing, my laptop will only send the machine credentials when I boot up. I will see the machine name come thought the wlc an then to ACS. After that I will also see the username come through both. If I shut the radio and turn the radio back in, the windows 7 only sends the user information. If windows 7 sends both user and machine, then you can use only one rule to match the computer group and the user group the user belongs in. So how I see it, you really can't do both unless you has two rules which is a workaround because now you can really do either, especially just machine auth. The only real way is to lock the wireless profile down so there isn't any... "Well if the client changes this...". In IAS or NPS, you can't even do this, so it is how Microsoft designed it or else their radius sever would support it also. Just my 2 penny's:)

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

sreejith_r
Level 1
Level 1
In response to Scott Fella

‎01-18-2012 05:29 AM

Hi All;

        Finally cisco TAC confirmed that there is no way that we can enforce user authentication with ACS.

1. when authenticate as computer option is selected on the laptop , and machine authentication on the ACS enabled.

what happens the laptop goes through machine authentication and it gains access, the customer wants to get prompted for a username and password if no user name or not correct username.pass provided then he wants to deny access.

ANS : With MAR we can enforce machine authentication, however in the ACS it is not possible to enforce user authentication, only machine authentication.

So you can't enforce the user auth to be the one who decides if the client is going to gain access or not after machine auth succeeds.

Thanks & Regards

Sreejith R

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to sreejith_r

‎01-18-2012 05:44 AM

Correct... That's the issue when you have two rules instead on just having one. If you remove the rule for machine and change the rule for user and take out was machine authenticated, then that's how you authenticate user only.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

Vinay Sharma
Level 7
Level 7

‎01-22-2012 10:10 AM

Check this Doc

Tips to make Machine Authentication Work - PEAP Authentication -https://supportforums.cisco.com/docs/DOC-21825

Thanks.

Thanks & Regards
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card