ACS Machine Authentication & Access Restrictions - possible on IAS?

Unanswered Question
Mar 3rd, 2007

With ACS 4.1 in an AD environment I can configure Machine Authentication with Access Restrictions - i.e. don't allow the user to authenticate unless the machine has authenticated first. This is a nice feature as it ensures a User cannot logon wirelessly without the machine they are attempting to logon from being validated first.

Is there anyway you can achieve the same logic using IAS? I have MAC Authentication working through IAS so this gives a little more security but is still easily hackable.

I was hoping there would be some logical way of doing this without mandatory profiles etc or enforcing machine-only authentication. At the moment a user can use their own wireless PC and as long as they have valid credentials (PEAP MS-CHAPv2 or EAP-TLS & a Certificate depending on what is configured on IAS) they can associate with the wireless network.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
irisrios Thu, 03/08/2007 - 11:49

The better option (than using MAC authentication) would be doing Machine authentication with EAP-TLS or PEAP. But you will need to be in a Windows 2000+ domain to do this, and machines need to be joined to the domain

andrew.butterworth Thu, 03/08/2007 - 12:36

Just to clarify.....

I already have EAP-TLS working and it is integrated with AD (I have tested PEAP to). The AP's are configured for WPA2 with EAP Authentication and EAS encryption. I currently have two polices on IAS; the 1st is the MAC Authentication Policy that verifies the MAC address is authorised and the 2nd is the Wireless EAP policy that verifies the Machine or User is a member of the Windows Wireless Users Group. All this works.

The issue I have is users can gain access to the wireless network using their own PC's as long as they have the correct credentials (Username/Password with PEAP-MSCHAPv2 or a Certificate with EAP-TLS). This is what I want to stop.

With ACS 4.1 you can enable Machine Authentication with User Access Restrictions. This works by verifying that the Machine a user is attempting to Authenticate from is itself already Authenticated (my assumption is it uses the RADIUS attribute 'calling-station-id' to record the Machine & User authenticaions).

I could use Machine only authentication and only make the machines members of the Windows group IAS checks for membership of. The problem with this is it requires the behaviour of the Microsoft EAP supplicant to be changed via the registry or Group Policy. This affects the machines behaviour permanently (or until the change is removed). For PC's that get used on other secured wireless networks this is likely to cause some problems.

What I would like is similar behavior to ACS 4.1 with Machine Authentication with User Access Restrictions. Does anyone know of any way to achieve this with Microsoft IAS?



hal.chaikin Thu, 10/18/2007 - 08:39

Have you tried using AD group memebership as a criteria instead of MACS? In IAS you can make a policy to look for the supplicants to be a memeber of windows groups. If your client PCs have AD accounts you can add those accounts to this group you create that the IAS server keys on. That way, only PC's that are members of this group, and hence your domain will be authenticated. The only users who will be able to "game" this scenario will be those with rights on this group and have "add machine to domain" rights. You'll be able to figure out pretty quickly who they are.

andrew.butterworth Thu, 10/18/2007 - 10:22

If you re-read my previous posts this is what is already configured - IAS Checks for membership of the 'Wireless Group', only machines and users that are members of this group are allowed access to the wireless. I could stop this by forcing Machine Only authentication but the problem with that is the default behaviour of the MS Supplicant - i.e. when the user is not logged on, the PC performs machine authentication. After the user logs on and from then on until they log off it re-authenticates using the logged-on users credentials. This means we have to have both Computers & Users who are members of the 'Wireless Users' group.

Th security hole here is users can bring in their own laptops with XP Home or non-Domain XP Pro and logon to them locally. When they are up and running they can then find the Wireless network and authenticate to the wireless using their Domain Credentials (PEAP). We can stop this by using EAP-TLS but users can get around this by connecting a LAN cable and enrolling for a Certificate from the CA. Then using this Certificate as credentials for EAP-TLS.

What I would like is the ability to apply the logic - Machine Authentication must happen and then allow User Authentication ONLY if the Machine the User is attempting to authicate from has already authenticated. As I said you can do this with ACS 4.1, but I can't see anyway of replicating this logic with IAS.



hal.chaikin Thu, 10/18/2007 - 10:35

Ok, understand. If by "machine authentication" you mean MAC addresses, then you're right -IAS does not support that natively. I have been told by Microsoft that you can configure IAS to authenticate MACs but this requires a schema change in order to add MACS as an additional attribute to the computer accounts in AD. Since, our organization does not have those permissions in our AD domain we are going in the opposite direction - we have to move from IAS to ACS 4.1 to accomplish that. The longer term option is to upgrade all clients to Vista but we're a long time away from that.

jafrazie Thu, 10/18/2007 - 10:53

A reminder that EAP-TLS does not use usernames/passwords to authenticate.

So the use of EAP-TLS may help to be a superset of this functionality, if the problem to help solve is to not allow to authenticating from an unknown asset.

remco.gussen Sun, 10/21/2007 - 03:58

I think that it is posible to make an IAS policy that must match 2 rules:

- Match Windows Group "Wireless-Users"


- Match Windows Group "Wireless-Computers".

The logical AND operation is used to match both rules. If user is not in group -> No access and if computer is not in group -> also no access..



remco.gussen Thu, 11/01/2007 - 06:38

Can anyone tell me how to implement Machine Access Restriction on an ACS 3.3 appliance ?

Machine must be member of the domain / company before access to wireless lan is permitted..



andrew.butterworth Wed, 11/07/2007 - 03:18

Hi Remco

That would be nice but we already thought of that..... It's possible to configure what you suggest however the XP 802.1x supplicant only sends one Username and it is either the Machines (pre-logon) or Users (post-logon re-authentications). It doesn't do both.


andrew.butterworth Wed, 11/07/2007 - 03:28

Hal, I managed to set up MAC authentication using IAS quite easily and there were no AD schema changes required. If you look at how MAC authentication works the AP basically sends a Username and Password that is the MAC address. All you need to do in AD is add some users that the Usernames and Password are the MAC addresses - i.e. User "My PC", Username "000e35f33121" and Password "000e35f33121". Then add a Security Group and make these all members of that group, then create an IAS Policy that checks for Membership of that Group. The Policy conditions I used are Windows-Group Matches - Wireless MAC Addresses AND NAS-Port-Type Matches Wireless - IEEE 802.11 AND Authentication-Type Matches PAP. You need the PAP authentication as the MAC Username/Password is all sent in clear text.



Hi Andy,

I'm glad to hear that you've found a solution that works for you, however I'd suggest that a stronger solution would be to use EAP-TLS with machine certs and user certs AND restrict wireless access (via IAS) to a particular AD security group to which machines that are permitted wireless access are added.

That way the machine will authenticate itself first, but only if it's in the specified AD group (which should imply that an authorised administrator added the machine to the group).

The certificate template for machine certs should also disallow exportable private keys so that users can't port it to another machine.

It seems like you could be aided by exerting a bit more control via AD groups and certificate policies.



andrew.butterworth Sat, 11/17/2007 - 10:41

Yes I agree with you Justin and this is what I have set up in a test lab. The problem however is convincing customers to go the extra mile and implement a CA and push certificates down to Machines & Users. Customers see deploying PEAP with MS-CHAPv2 as a much easier route than going the whole EAP-TLS route.

My original question still stands though - and that is: Is it possible to achieve the same sort of functionality with IAS that is possible with ACS 4.1? i.e. Machine Authentication with Access Restrictions - don't allow the user to authenticate unless the machine has authenticated first.



This Discussion



Trending Topics - Security & Network