Solved: User and Computer Authentication

prekojo · ‎07-27-2015

We are trying to do Active Directory User AND computer authentication when connecting to a specific SSID. Using both the username and computer to authenticate, we are trying to prevent our users from connecting personal devices (laptops and smartphones) to our internal network. We are using Windows 2008 NPS to enforce our policy.

Active Directory user authentication does work using PEAP. Computer authentication does not work. Can anyone explain how to setup computer authentication and if it is possible to authentication both username and password? How can we prevent users from using their AD credentials and connecting smartphones to internal network?

We are running vWLC version 8.1 with 1600 LWAPPs. Our authentication method is PEAP. We setup a internal CA server and published the cert in AD.

Thanks for the help.

Scott Fella · ‎07-27-2015

From my testing in the past, you can't do both. If you look at the supplicant, it shows User OR Computer, not an AND. If you sniff the traffic, you will see an initial machine name come through then the user credentials. After that however, you will only see user credentials. ACS, ISE, ClearPass, has workarounds to cache the original machine credentials, but not NPS. Also in the NP policies, it's top down right, so if you create a policy to authenticate Computer and User, you would need two conditions. However, if the device doesn't send the machine credentials only the user, NPS would send a reject. If on the policy you but both on the same condition, user or computer, it will pass, because its looking for one or the other. NPS conditions are simple, one line will do an OR, multiple conditions will be an AND.

Here is and some old thread:

https://supportforums.cisco.com/discussion/11380501/peap-user-machine-authentication

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

ali aqrabawi · ‎07-27-2015

yes it's possible ,

i know that NPS can do weather computer or user for peap username authentication , but not sure for it can do both at same time , but it should do it , it's not big deal ,

i actually tried to look for some docs for configuring it on MS sites but did not find any ,

you can ask same question on MS forums and they should be able to answer you ,,

but from Cisco side no difference if the NPS is donig computre or machine auth ,

Prakash Parvathala · ‎07-27-2015

Hi Joe,

Please check the below blogs which may help you on User and computer authentication from windows side as well as Cisco .

https://documentation.meraki.com/MR/Encryption_and_Authentication/Configuring_RADIUS_Authentication_with_WPA2-Enterprise

http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

Scott Fella · ‎07-27-2015

From my testing in the past, you can't do both. If you look at the supplicant, it shows User OR Computer, not an AND. If you sniff the traffic, you will see an initial machine name come through then the user credentials. After that however, you will only see user credentials. ACS, ISE, ClearPass, has workarounds to cache the original machine credentials, but not NPS. Also in the NP policies, it's top down right, so if you create a policy to authenticate Computer and User, you would need two conditions. However, if the device doesn't send the machine credentials only the user, NPS would send a reject. If on the policy you but both on the same condition, user or computer, it will pass, because its looking for one or the other. NPS conditions are simple, one line will do an OR, multiple conditions will be an AND.

Here is and some old thread:

https://supportforums.cisco.com/discussion/11380501/peap-user-machine-authentication

-Scott

-Scott
*** Please rate helpful posts ***