Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
418
Views
0
Helpful
1
Replies

Rogue PC's, PEAP and ACS.

andrew.brazier
Level 4
Level 4

‎02-14-2007 08:39 AM - edited ‎07-03-2021 01:37 PM

We have a customer using an ACS SE 4.0 with a bought SSL cert from Geotrust installed authenticating to AD using PEAP security. We've found that a user can still authenticate using their domain credentials from a non-domain PC. Not good.

We've found the Machine Access Control function in ACS which blocks users with legitimate credentials from authenticating using a rogue PC, so far so good. This checks the AD domain for machine accounts and no machine account = no access. BUT the customer has a number of machines that are not part of the AD domain (MACs and Linux) so they get blocked too.

My question is what other means are there of controlling this? The customer has many small sites and as it stands although PEAP is implemented and working there's nothing to stop an employee bringing in their own laptop and using their domain credentials to get authenticated to the WLAN.

Labels:
0 Helpful
1 Reply 1

claeysg
Level 1
Level 1

‎02-15-2007 05:59 AM

Hello,

I would suggest you to give a certificate to every computer and use EAP-TLS instead of PEAP. If you mark the certificate as not exportable, it will not be possible to use it on another computer.

Deploying certificates on windows computers that are part of AD can be done very easily through GPO. It has to be done manually for linux and mac but if there are only a few of them, it's not a big problem.

Hope it helps,

Gaetan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card