Rogue PC's, PEAP and ACS.

Unanswered Question
Feb 14th, 2007

We have a customer using an ACS SE 4.0 with a bought SSL cert from Geotrust installed authenticating to AD using PEAP security. We've found that a user can still authenticate using their domain credentials from a non-domain PC. Not good.

We've found the Machine Access Control function in ACS which blocks users with legitimate credentials from authenticating using a rogue PC, so far so good. This checks the AD domain for machine accounts and no machine account = no access. BUT the customer has a number of machines that are not part of the AD domain (MACs and Linux) so they get blocked too.

My question is what other means are there of controlling this? The customer has many small sites and as it stands although PEAP is implemented and working there's nothing to stop an employee bringing in their own laptop and using their domain credentials to get authenticated to the WLAN.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
claeysg Thu, 02/15/2007 - 05:59

Hello,

I would suggest you to give a certificate to every computer and use EAP-TLS instead of PEAP. If you mark the certificate as not exportable, it will not be possible to use it on another computer.

Deploying certificates on windows computers that are part of AD can be done very easily through GPO. It has to be done manually for linux and mac but if there are only a few of them, it's not a big problem.

Hope it helps,

Gaetan

Actions

This Discussion

 

 

Trending Topics - Security & Network