01-03-2012 06:18 AM - edited 07-03-2021 09:19 PM
Hi ;
I tried PEAP machine and user authentication together with acs 5.3. But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.
Is there any way to enforce both authentications.
Best Regards
Sreejith R
01-05-2012 12:49 AM
i will try with this document by today and will let you know about the status.
01-05-2012 05:02 AM
Sounds good.
Thanks,
Scott Fella
Sent from my iPhone
01-06-2012 04:01 AM
Were you able to try it?
Sent from Cisco Technical Support iPhone App
01-11-2012 04:50 AM
Any update if this worked for you?
Sent from Cisco Technical Support iPhone App
01-11-2012 05:36 AM
Didn't get any update from the customer. Will update you once i get the feedback from the customer.
01-11-2012 11:02 AM
I'm having similiar issues - using 5.2 - with user and machine authentication. This rule in your pdf is where I have an issue:
7. YOU WILL NEED TO CREATE TWO RULES
a. RULE #1
i. Click 'Create' and name the rule if you wish
ii. Make sure the Status is set to 'Enabled'
iii. Check 'Systen:UserName'
iv. The rule should be as follows" 'starts with' input 'host/' without the quotes
v. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'
vi. Click 'Ok' and Click 'Ok' again
vii. This is all for this rule.
viii. Click 'Ok' on the bottom
If the supplicant is configured to authenticate by machine only, this rule will permit access. The OP wants to stop users from authenticating by machine without them providing their user credentials.
01-11-2012 11:05 AM
When you test this, you need to reboot your machine. Also the windows 7 needs to be set to user and machine.
Thanks,
Scott Fella
Sent from my iPhone
01-11-2012 01:49 PM
Is there a way to prevent machine authentication from working though. I have tried setting the session-timeout radius attribute to 1 second on the machine authentication authorization profile, but it wasn't terminating the connection - this could be a problem on my aruba controller though.
I guess the situation I'm trying to avoid is a user logging in as a local user, changing the authentication method to machine only and gaining access to the network. What would be the best way to avoid this?
01-11-2012 02:14 PM
If you don't want machine authentication you would not put that group in the ACS policy, just the user group.
Thanks,
Scott Fella
Sent from my iPhone
01-12-2012 07:40 AM
Just to clarify.... are you looking to just authenticate using the users AD credentials and not allow machine authentication? If so, this doc isn't for you. You would have to modify it and really you will only need one rule.
01-12-2012 08:37 AM
I want Machine and User authentication to both be required. As it stands User authentication is only optional because if the machine authenticates then it doesn't matter who the user is.
When a user tries to authenticate this is what happens:
User Auth only - Fail
Machine Auth only - Pass (I want this to fail)
User Auth after Machine Auth - Pass
Basically I want the ACS to authenticate the Machine but I don't want it to grant it network access.
01-12-2012 08:50 AM
Okay... so on the windows 7 you have it set as user and computer. Can you post your ACS log to show the machine and the user pass or failed. Can you screen shot your rules also.
01-12-2012 12:05 PM
I only see users or computers? But I can't enforce this, the user will have the rights to change this if they want, so If possible I need to be sure that user only or machine only will not work.
The first 3 denies were a machine not on the domain trying to connect with a domain username this failed - GOOD
The next was a Domain user authenticating on a domain authenticated machine it passed - GOOD
The last one was a non domain user on a domain machine with the supplicant set as machine authentication it passed - BAD
- I want this to fail
Here are my rules:
01-12-2012 12:18 PM
Can you clear your hit counters on ACS and try again. I would like to see if or what rules it is hitting. You might be hitting the wrong rule is what I'm thinking.
01-12-2012 12:30 PM
I missed that picture here it is:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: