01-03-2012 06:18 AM - edited 07-03-2021 09:19 PM
Hi ;
I tried PEAP machine and user authentication together with acs 5.3. But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.
Is there any way to enforce both authentications.
Best Regards
Sreejith R
01-17-2012 03:25 PM
[Editing the article heavily since I found the MS KB article below after my first post]
I'm struggeling with exactly the same issue, if I select "user or computer" authentication the Windows 7 client will never attempt machine authentication when the user is logged in, and unless i set the wireless profile to auto-connect then basically it will never attempt machine authentication. I found the following Microsoft article which explains how the wireless profile settings works these days: http://support.microsoft.com/kb/929847
machineOrUser | Use computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication |
Let's assume the MAR has timed out: if I keep "user or computer" selected access fails, because "was machine authenticated=true" is selected. If I then select "computer authentication" and try again it succeeds, and from then if I select "user or computer" it will succeed again and will continue to succeed, doing only user authentication - until the MAR timeout...
Of course I could set the wireless profile to auto-connect, and reboot the laptop, but expecting users to have to reboot their system to be able to do machine authentication, or having the MAR randomly time out the cached machine authentication (for users who only suspend their laptops) is definitely not something that's going to be acceptable for a production deployment.
Looking at the RFCs the authenticator is supposed to tell the client what it expects, for example RFC2284:
After the Link Establishment phase is complete, the authenticator sends one or more Requests to authenticate the peer. The Request has a type field to indicate what is being requested. Examples of Request types include Identity, MD5-challenge, One-Time Passwords, Generic Token Card, etc. The MD5-challenge type corresponds closely to the CHAP authentication protocol. Typically, the authenticator will send an initial Identity Request followed by one or more Requests for authentication information.
I'm leaning towards believing it's really the Cisco side that's supposed to tell the Windows 7 supplicant what it needs, instead of Microsoft dictating how it does its machine vs. user authentication, and that policy should be maintained in ACS. Any thoughts, anyone?
01-18-2012 04:59 AM
From my testing, my laptop will only send the machine credentials when I boot up. I will see the machine name come thought the wlc an then to ACS. After that I will also see the username come through both. If I shut the radio and turn the radio back in, the windows 7 only sends the user information. If windows 7 sends both user and machine, then you can use only one rule to match the computer group and the user group the user belongs in. So how I see it, you really can't do both unless you has two rules which is a workaround because now you can really do either, especially just machine auth. The only real way is to lock the wireless profile down so there isn't any... "Well if the client changes this...". In IAS or NPS, you can't even do this, so it is how Microsoft designed it or else their radius sever would support it also. Just my 2 penny's:)
Thanks,
Scott Fella
Sent from my iPhone
01-18-2012 05:29 AM
Hi All;
Finally cisco TAC confirmed that there is no way that we can enforce user authentication with ACS.
1. when authenticate as computer option is selected on the laptop , and machine authentication on the ACS enabled.
what happens the laptop goes through machine authentication and it gains access, the customer wants to get prompted for a username and password if no user name or not correct username.pass provided then he wants to deny access.
ANS : With MAR we can enforce machine authentication, however in the ACS it is not possible to enforce user authentication, only machine authentication.
So you can't enforce the user auth to be the one who decides if the client is going to gain access or not after machine auth succeeds.
Thanks & Regards
Sreejith R
01-18-2012 05:44 AM
Correct... That's the issue when you have two rules instead on just having one. If you remove the rule for machine and change the rule for user and take out was machine authenticated, then that's how you authenticate user only.
Thanks,
Scott Fella
Sent from my iPhone
01-22-2012 10:10 AM
Check this Doc
Tips to make Machine Authentication Work - PEAP Authentication -https://supportforums.cisco.com/docs/DOC-21825
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide