Sounds good.

Thanks,

Scott Fella

Sent from my iPhone

Any update if this worked for you?

Sent from Cisco Technical Support iPhone App

Didn't get any update from the customer. Will update you once i get the feedback from the customer.

I'm having similiar issues - using 5.2 - with user and machine authentication.  This rule in your pdf is where I have an issue:

7. YOU WILL NEED TO CREATE TWO RULES

a. RULE #1

i. Click 'Create' and name the rule if you wish

ii. Make sure the Status is set to 'Enabled'

iii. Check 'Systen:UserName'

iv. The rule should be as follows" 'starts with' input 'host/' without the quotes

v. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'

vi. Click 'Ok' and Click 'Ok' again

vii. This is all for this rule.

viii. Click 'Ok' on the bottom

If the supplicant is configured to authenticate by machine only, this rule will permit access.  The OP wants to stop users from authenticating by machine without them providing their user credentials.

When you test this, you need to reboot your machine. Also the windows 7 needs to be set to user and machine.

Thanks,

Scott Fella

Sent from my iPhone

If you don't want machine authentication you would not put that group in the ACS policy, just the user group.

Thanks,

Scott Fella

Sent from my iPhone

Just to clarify.... are you looking to just authenticate using the users AD credentials and not allow machine authentication?  If so, this doc isn't for you.  You would have to modify it and really you will only need one rule.

I want Machine and User authentication to both be required.  As it stands User authentication is only optional because if the machine authenticates then it doesn't matter who the user is.

When a user tries to authenticate this is what happens:

     User Auth only - Fail
     Machine Auth only - Pass (I want this to fail)

     User Auth after Machine Auth - Pass

Basically I want the ACS to authenticate the Machine but I don't want it to grant it network access.

Okay... so on the windows 7 you have it set as user and computer.  Can you post your ACS log to show the machine and the user pass or failed.  Can you screen shot your rules also.

I only see users or computers?  But I can't enforce this, the user will have the rights to change this if they want, so If possible I need to be sure that user only or machine only will not work.

The first 3 denies were a machine not on the domain trying to connect with a domain username this failed - GOOD

The next was a Domain user authenticating on a domain authenticated machine it passed - GOOD

The last one was a non domain user on a domain machine with the supplicant set as machine authentication it passed - BAD
     - I want this to fail

Here are my rules:

Can you clear your hit counters on ACS and try again.  I would like to see if or what rules it is hitting.  You might be hitting the wrong rule is what I'm thinking.

I missed that picture here it is: