cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2675
Views
9
Helpful
22
Replies

PEAP with computer authentication

remco.gussen
Level 1
Level 1

Hi

I was wondering if it is posible to use computer authentication as well as user authentication with PEAP ? I need to make a design with a WLC and ACS. The ACS checks the correct Active Directory global group for user authentication. I also want to check the membership of a client computer in the Active Directort. Computer not member of domain, no access to WLAN. Is this posible ?

Another question, is it posible to do a trace (after three weeks) to find out witch user was connected to the wireless network, based on the ip address ?

GR.

Remco

22 Replies 22

Jagdeep Gambhir
Level 10
Level 10

Hi Remco,

Yes that is very much possible. Please check this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

On ACS --->ext db-->group mapping ---> default---> you need to set 'all other combinations should be mapped to No access acs group.

This will deny user/computer access if it is not a part of any defined group.

For tracing user you can set up radius accounting , that will let you know who/when logged in.

Regards,

~JG

Please rate helpful posts

could you explain how you turn on the radius accounting on the AP?

Hi JG

Thank you for the reply.

In the manual / link: Permit Machine Authentication... Is this mandatory or optional ? In ACS you can map a group to an external (AD) database. In AD you create a global group with usernames. You can link this group to the ACS group. Right now these are just users. Or do i need to put the computer accounts in the same glabal group ? Or nest theme ? Can you do a logical AND operation to map a ACS group ? If member of AD group "wireless users" AND if member of AD group "wireless computers", then map to ACS group and access is permitted....

Hope this is a clear description...

Regards

Remco

Remco,

Machine authentication is optional.

When machine authentication is enabled, the authentications occur in this order:

When starting a computer,

* Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.

* User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.

* You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user

login) you need to make sure to have user credential cashing on the workstation.

In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.

Hope that helps

Regards,

~JG

Please rate helpful posts

Thanks JG

Problem is that the customer wants to check if the computer is member of the company.. If not, than it is a guest and just "guest" = internet access.

After check computer = company property, then further authentication...

GR.

Remco

If you want that user authentication should only proceed when a machine has been determined to be valid machine.

OR If I say, do not allow a user to get into network, until and unless his/her machine is a valid machine on domain.

If that is what you are looking for, the go for MAR (Machine Access Restriction) on ACS.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html#wp354105

It is under External User Databases > Database Configuration > ..Windows...

Regards,

Prem

Hi Prem

It looks like the solution to my "problem".

I'm going to test this and hope the results are ok.

Thanks for your help !

Regards

Remco

FYI with Windows XP and earlier (I'm told this is fixed in Vista but havent had a chance to confirm) windows boxes will stop working with machine authentication when the machine password expires (by default every 30 days).

They are unable to reset their password because they cant get on the network, and they cant get on the network because their password has expired...

Just FYI for your testing and for machines that are infrequently network connected.

Erik

I have another question about PEAP in Vista / XP:

In the network profile, under PEAP settings, you can select: "Validate Server Certificate". Then you have to select the correct Root Certificate.

If you DON'T select the "Validate Server Certificate" setting (and the root certificate is installed on the computer), everything works fine too.

Why is this setting ? It seems that it is not requiered to select it..

Gr.

Remco

It's not required to use this setting in order to connect; however if you do not use it clients do not validate the identity of your authentication servers and you leave yourself open to man in the middle attacks.

In production you should pretty much always have this setting turned on.

I don't understand that. Can you explain that to me ?

If you have that setting enabled than prior to sending secured credentials a client will validate a server's identity using certificates.

Having this setting on will help to mitigate a potential attacker's ability to put in their own RADIUS server posing as yours.

Ok, I understand that. You mean that there is no secure channel if this option is not enabled ?

What is the function of the certificate that must be in the store ? Keying material for the AES / TKIP encryption ?

If the option is not enabled, you are not using PEAP, isn't it ? How do you call it what you are using now ?

Gr.

Remco

Review Cisco Networking for a $25 gift card