cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
414
Views
0
Helpful
1
Replies

Rogue PC's, PEAP and ACS.

andrew.brazier
Level 4
Level 4

We have a customer using an ACS SE 4.0 with a bought SSL cert from Geotrust installed authenticating to AD using PEAP security. We've found that a user can still authenticate using their domain credentials from a non-domain PC. Not good.

We've found the Machine Access Control function in ACS which blocks users with legitimate credentials from authenticating using a rogue PC, so far so good. This checks the AD domain for machine accounts and no machine account = no access. BUT the customer has a number of machines that are not part of the AD domain (MACs and Linux) so they get blocked too.

My question is what other means are there of controlling this? The customer has many small sites and as it stands although PEAP is implemented and working there's nothing to stop an employee bringing in their own laptop and using their domain credentials to get authenticated to the WLAN.

1 Reply 1

claeysg
Level 1
Level 1

Hello,

I would suggest you to give a certificate to every computer and use EAP-TLS instead of PEAP. If you mark the certificate as not exportable, it will not be possible to use it on another computer.

Deploying certificates on windows computers that are part of AD can be done very easily through GPO. It has to be done manually for linux and mac but if there are only a few of them, it's not a big problem.

Hope it helps,

Gaetan

Review Cisco Networking for a $25 gift card