Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2180
Views
9
Helpful
22
Replies

PEAP with computer authentication

remco.gussen
Level 1
Level 1

‎10-17-2007 06:26 AM - edited ‎07-03-2021 02:47 PM

Hi

I was wondering if it is posible to use computer authentication as well as user authentication with PEAP ? I need to make a design with a WLC and ACS. The ACS checks the correct Active Directory global group for user authentication. I also want to check the membership of a client computer in the Active Directort. Computer not member of domain, no access to WLAN. Is this posible ?

Another question, is it posible to do a trace (after three weeks) to find out witch user was connected to the wireless network, based on the ip address ?

GR.

Remco

Labels:
0 Helpful
22 Replies 22

erikszewczyk
Level 1
Level 1
In response to remco.gussen

‎10-29-2007 12:58 PM

I know that as the TLS channel is established the server sends the certificate to the client so that the client can confirm the identity of the server. My assumption would be that the TLS channel still gets established, but the client is just unable to confirm the identity of the server.

So without validating the certificate chain it's basically the equivilent to using self-signed HTTPS (a secure channel to a suspect target).

Some more information about PEAP with MSCHAP v2 here:

http://technet.microsoft.com/en-us/library/bb878077.aspx

Erik

EDIT: And keying for AES/TKIP doesnt happen at the RADIUS server at all (that is between the AP and client), so this setting would have no bearing.

0 Helpful

remco.gussen
Level 1
Level 1
In response to Premdeep Banga

‎11-02-2007 06:26 AM

I can see the option "machine access restriction". But where can i configure the machines that are allowed ? Can I link it to a Windows Group ?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to remco.gussen

‎11-02-2007 06:42 AM

The allowed machines are built dynamically based on machine authentications.

0 Helpful

remco.gussen
Level 1
Level 1
In response to jafrazie

‎11-02-2007 06:44 AM

But than I can still bring my home laptop and log in. Isn't it ?

0 Helpful

jorge.s
Level 1
Level 1
In response to remco.gussen

‎11-28-2007 03:58 AM

I've configured machine authentication, but everytime I try, I get Authen Failed:

Authen failed host/PAL3556.eu.ten Default Group 0040.96b0.f3c7 External DB user invalid or bad password .. .. 356 10.61.160.101 taxxx056 .. .. .. .. .. .. xxx0101 .. .. .. No 25 MS-PEAP (Default) .. .. .. .. .. .. .. .. .. .. .. .. .. ..

0 Helpful

nanou
Level 1
Level 1
In response to jorge.s

‎01-06-2008 09:04 AM

Guys, PEAP does not require certificate validation on the Clients. that is why your authentication was successfull.

0 Helpful

remco.gussen
Level 1
Level 1
In response to nanou

‎01-07-2008 04:32 AM

But the certificate must be installed on the client machine to build a secure tunnel for password exchange. Isn't it ?

0 Helpful

nanou
Level 1
Level 1
In response to remco.gussen

‎01-07-2008 03:23 PM

Accordin to Microsoft specs, the certificate is only check if you use PEAP-EAP-TLS, PEAP by default is using PEAP-MSCHAPV2.

I am trying to figure out how to configure PEAP-EAP-TLS on an ACS.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card