10-17-2007 06:26 AM - edited 07-03-2021 02:47 PM
Hi
I was wondering if it is posible to use computer authentication as well as user authentication with PEAP ? I need to make a design with a WLC and ACS. The ACS checks the correct Active Directory global group for user authentication. I also want to check the membership of a client computer in the Active Directort. Computer not member of domain, no access to WLAN. Is this posible ?
Another question, is it posible to do a trace (after three weeks) to find out witch user was connected to the wireless network, based on the ip address ?
GR.
Remco
10-17-2007 07:16 AM
Hi Remco,
Yes that is very much possible. Please check this link,
On ACS --->ext db-->group mapping ---> default---> you need to set 'all other combinations should be mapped to No access acs group.
This will deny user/computer access if it is not a part of any defined group.
For tracing user you can set up radius accounting , that will let you know who/when logged in.
Regards,
~JG
Please rate helpful posts
10-17-2007 08:28 AM
could you explain how you turn on the radius accounting on the AP?
10-17-2007 09:04 AM
Here is the link,
Please rate helpful posts
Regards,
~JG
10-17-2007 11:43 AM
Hi JG
Thank you for the reply.
In the manual / link: Permit Machine Authentication... Is this mandatory or optional ? In ACS you can map a group to an external (AD) database. In AD you create a global group with usernames. You can link this group to the ACS group. Right now these are just users. Or do i need to put the computer accounts in the same glabal group ? Or nest theme ? Can you do a logical AND operation to map a ACS group ? If member of AD group "wireless users" AND if member of AD group "wireless computers", then map to ACS group and access is permitted....
Hope this is a clear description...
Regards
Remco
10-18-2007 12:28 PM
Remco,
Machine authentication is optional.
When machine authentication is enabled, the authentications occur in this order:
When starting a computer,
* Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.
* User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.
* You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user
login) you need to make sure to have user credential cashing on the workstation.
In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.
Hope that helps
Regards,
~JG
Please rate helpful posts
10-19-2007 12:54 AM
Thanks JG
Problem is that the customer wants to check if the computer is member of the company.. If not, than it is a guest and just "guest" = internet access.
After check computer = company property, then further authentication...
GR.
Remco
10-20-2007 09:44 AM
If you want that user authentication should only proceed when a machine has been determined to be valid machine.
OR If I say, do not allow a user to get into network, until and unless his/her machine is a valid machine on domain.
If that is what you are looking for, the go for MAR (Machine Access Restriction) on ACS.
It is under External User Databases > Database Configuration > ..Windows...
Regards,
Prem
10-21-2007 03:38 AM
Hi Prem
It looks like the solution to my "problem".
I'm going to test this and hope the results are ok.
Thanks for your help !
Regards
Remco
10-22-2007 07:49 AM
FYI with Windows XP and earlier (I'm told this is fixed in Vista but havent had a chance to confirm) windows boxes will stop working with machine authentication when the machine password expires (by default every 30 days).
They are unable to reset their password because they cant get on the network, and they cant get on the network because their password has expired...
Just FYI for your testing and for machines that are infrequently network connected.
Erik
10-29-2007 12:59 AM
I have another question about PEAP in Vista / XP:
In the network profile, under PEAP settings, you can select: "Validate Server Certificate". Then you have to select the correct Root Certificate.
If you DON'T select the "Validate Server Certificate" setting (and the root certificate is installed on the computer), everything works fine too.
Why is this setting ? It seems that it is not requiered to select it..
Gr.
Remco
10-29-2007 08:52 AM
It's not required to use this setting in order to connect; however if you do not use it clients do not validate the identity of your authentication servers and you leave yourself open to man in the middle attacks.
In production you should pretty much always have this setting turned on.
10-29-2007 08:59 AM
I don't understand that. Can you explain that to me ?
10-29-2007 09:17 AM
If you have that setting enabled than prior to sending secured credentials a client will validate a server's identity using certificates.
Having this setting on will help to mitigate a potential attacker's ability to put in their own RADIUS server posing as yours.
10-29-2007 12:48 PM
Ok, I understand that. You mean that there is no secure channel if this option is not enabled ?
What is the function of the certificate that must be in the store ? Keying material for the AES / TKIP encryption ?
If the option is not enabled, you are not using PEAP, isn't it ? How do you call it what you are using now ?
Gr.
Remco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide