01-03-2012 06:18 AM - edited 07-03-2021 09:19 PM
Hi ;
I tried PEAP machine and user authentication together with acs 5.3. But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.
Is there any way to enforce both authentications.
Best Regards
Sreejith R
01-12-2012 12:40 PM
I guess what I want is the ACS to believe it has authenticated the workstation, but then instead of sending an access-accepted, send an access-rejected response to the radius client; in this case our Aruba controller. I'm having trouble manipulating this however, I'll continue to experiment. I feel there may be an attribute I can send that the controller could then make an enforcable decision.
01-12-2012 12:41 PM
How is your service selection rule setup as. You should be albe to view the passed logs and that will give you a detail of what profiles it is hitting.
01-12-2012 12:56 PM
Here is the Wireless LAN Controller service:
Going back to the previous rules, I have tried setting the machine authentication to deny instead of permit - right now it has an authorization profile called "Machine-Authentication", that basically just permits - but if I set it to deny then it considers the machine unauthenticated and won't pass the second rule which requires that the machine be authenticated. I guess this is expected behavior, however I was hoping that the Deny Authorization profile was just an authorization and not part of the ACS determining whether the machine is an authenticated domain machine.
01-12-2012 01:04 PM
On you Network access policy, why do you have so many different AD groups as seperate rules? How I have mine setup is basically only certain ad groups can access the wireless and I only have 2 rules. If you have other rules for other things, you need to define more service policies.
01-12-2012 01:09 PM
I wouldn't pay to much attention to those bottom groups as I haven't even begun to test those yet. The reason we have so many is because we have about 30 seperate domains with a 1 way trust. I'm not a windows guy so don't ask me why it is like this. 29 of them have the same root, but from what I have been told there is no one group that encompases all the users. I'm going to be testing that, but in the meantime I have all the domain users from those individual domains in there.
01-12-2012 01:16 PM
Also, I need the seperate rules because we have different users that will need different authorization profiles with different filter-ids sent back to our aruba controller.
01-12-2012 02:32 PM
Then you need to specify that in the service access policy. Look at it this way... the service access policy is the first that is hit. So that is where you need to break down your groups. Then in the network policy, that is where you create the rules for that group. What you are trying to do, will take some customization and testing to see what works and what things can break.
01-13-2012 05:45 AM
Gregory,
I tested this out last night. If I don't login to the domain and use a local account it will fail. I have to login with my domain account and be in the correct group to login.
Thanks,
Scott Fella
Sent from my iPhone
01-13-2012 07:20 AM
Did you set the windows supplicant to computer authentication?
01-13-2012 07:23 AM
I can try that later, but you can always lock that through GPO.
Thanks,
Scott Fella
Sent from my iPhone
01-13-2012 07:26 AM
That may be what we need to do because I can't see a way around it.
01-13-2012 10:08 PM
Well... I did some testing and I the reason you can do machine only is becasue of rule #1. Now you need that in order to pass rule #2 which looks to see if Was Machined Authenticated=True. Without rule#1, you would have to remove the check from rule#2. So you are better off preventing users from changing that ssid which is easy to do in group policy.
01-14-2012 03:01 AM
If we are enbling through GPO we have the following limitation.
The user can login to the computer as a local user. How you will deny that. Since the computer account in the domain it will authenticate through machine authentication.
Since there is no user credentials he will be able to login as a local user.
01-14-2012 06:44 AM
The second rule you specify an AD group the user is in and was machine authenticated. This is were the local
username will fail. The issue is that windows 7 does not do really both. It's user OR computer and you want to authenticate using both like it was user AND computer. So the first rule you authenticate as computer and the second rule ACS knows that the device has successfully authenticated. Now you only want the second rule to work until the device reboots or the have to log back in.
Since you guys are worried that the user will change the setting, you need to lock down the wireless profile. How I have mine set, I boot up my laptop and login to the domain, login local to the computer will fail on the wireless. After I login my windows 7 starts and the wireless connects. My wireless profile uses whatever login credential I use at the login screen. So in ACS you will see the computer name pass first then the user. Now when I disable and re enable my wireless card, I ONLY AUTHENTICATE WITH USER CREDENTIALS NOT MACHINE. Was Machine Authenticate=True will pass since ACS knows that machine was logged in via AD.
Thanks,
Scott Fella
Sent from my iPhone
01-14-2012 07:40 AM
Jut to clarify... If I login using a local account on my laptop I will not authenticate. I have tested that.
Thanks,
Scott Fella
Sent from my iPhone
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide