PEAP User + Machine Authentication - Page 3

sreejith_r · ‎01-03-2012

Hi ;

I tried PEAP machine and user authentication together with acs 5.3. But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.

Is there any way to enforce both authentications.

Best Regards

Sreejith R

geworldcup · ‎01-12-2012

I guess what I want is the ACS to believe it has authenticated the workstation, but then instead of sending an access-accepted, send an access-rejected response to the radius client; in this case our Aruba controller. I'm having trouble manipulating this however, I'll continue to experiment. I feel there may be an attribute I can send that the controller could then make an enforcable decision.

Scott Fella · ‎01-12-2012

How is your service selection rule setup as. You should be albe to view the passed logs and that will give you a detail of what profiles it is hitting.

-Scott
*** Please rate helpful posts ***

geworldcup · ‎01-12-2012

Here is the Wireless LAN Controller service:

Going back to the previous rules, I have tried setting the machine authentication to deny instead of permit - right now it has an authorization profile called "Machine-Authentication", that basically just permits - but if I set it to deny then it considers the machine unauthenticated and won't pass the second rule which requires that the machine be authenticated. I guess this is expected behavior, however I was hoping that the Deny Authorization profile was just an authorization and not part of the ACS determining whether the machine is an authenticated domain machine.

Scott Fella · ‎01-12-2012

On you Network access policy, why do you have so many different AD groups as seperate rules? How I have mine setup is basically only certain ad groups can access the wireless and I only have 2 rules. If you have other rules for other things, you need to define more service policies.

-Scott
*** Please rate helpful posts ***

geworldcup · ‎01-12-2012

I wouldn't pay to much attention to those bottom groups as I haven't even begun to test those yet. The reason we have so many is because we have about 30 seperate domains with a 1 way trust. I'm not a windows guy so don't ask me why it is like this. 29 of them have the same root, but from what I have been told there is no one group that encompases all the users. I'm going to be testing that, but in the meantime I have all the domain users from those individual domains in there.

geworldcup · ‎01-12-2012

Also, I need the seperate rules because we have different users that will need different authorization profiles with different filter-ids sent back to our aruba controller.

Scott Fella · ‎01-12-2012

Then you need to specify that in the service access policy. Look at it this way... the service access policy is the first that is hit. So that is where you need to break down your groups. Then in the network policy, that is where you create the rules for that group. What you are trying to do, will take some customization and testing to see what works and what things can break.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-13-2012

Gregory,

I tested this out last night. If I don't login to the domain and use a local account it will fail. I have to login with my domain account and be in the correct group to login.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

geworldcup · ‎01-13-2012

Did you set the windows supplicant to computer authentication?

Scott Fella · ‎01-13-2012

I can try that later, but you can always lock that through GPO.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

geworldcup · ‎01-13-2012

That may be what we need to do because I can't see a way around it.

Scott Fella · ‎01-13-2012

Well... I did some testing and I the reason you can do machine only is becasue of rule #1. Now you need that in order to pass rule #2 which looks to see if Was Machined Authenticated=True. Without rule#1, you would have to remove the check from rule#2. So you are better off preventing users from changing that ssid which is easy to do in group policy.

-Scott
*** Please rate helpful posts ***

sreejith_r · ‎01-14-2012

If we are enbling through GPO we have the following limitation.

The user can login to the computer as a local user. How you will deny that. Since the computer account in the domain it will authenticate through machine authentication.

Since there is no user credentials he will be able to login as a local user.

Scott Fella · ‎01-14-2012

The second rule you specify an AD group the user is in and was machine authenticated. This is were the local

username will fail. The issue is that windows 7 does not do really both. It's user OR computer and you want to authenticate using both like it was user AND computer. So the first rule you authenticate as computer and the second rule ACS knows that the device has successfully authenticated. Now you only want the second rule to work until the device reboots or the have to log back in.

Since you guys are worried that the user will change the setting, you need to lock down the wireless profile. How I have mine set, I boot up my laptop and login to the domain, login local to the computer will fail on the wireless. After I login my windows 7 starts and the wireless connects. My wireless profile uses whatever login credential I use at the login screen. So in ACS you will see the computer name pass first then the user. Now when I disable and re enable my wireless card, I ONLY AUTHENTICATE WITH USER CREDENTIALS NOT MACHINE. Was Machine Authenticate=True will pass since ACS knows that machine was logged in via AD.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-14-2012

Jut to clarify... If I login using a local account on my laptop I will not authenticate. I have tested that.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***