Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
0
Helpful
2
Replies

bug?? wlc, acs, peap & machine auth and intel wireless proset

sbe
Level 1
Level 1

‎04-02-2007 12:37 AM - edited ‎07-03-2021 01:52 PM

customer has a wireless solution consisting of a AIR-WLC4402-50-K9 with software 4.0.206.0, several AIR-LAP1131AG-E-K9 Access Points , Cisco ACS 4.0, Windows 2003 Active Directory and a Microsoft CA.

WLC & ACS are configured for PEAP(MS-CHAPv2) plus machine authentication on acs.

on wlan-clients (mostly centrino-notebooks) this security solution configured with windows configuration service works fine...host AND user (both!) must successfully authenticate themselves against acs to gain access.

but with intel wireless proset-software version 11.1 it's enough to successfully authenticate as host OR user (not both!). this looks like a bug and is a really heavy security hole.

any ideas?

Labels:
0 Helpful
2 Replies 2

mmellet
Level 3
Level 3

‎04-06-2007 06:21 AM

Microsoft PEAP clients also initiate machine authentication whenever a user logs off. This prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user has selected to shutdown or restart the computer rather than just logging off. Refer URL

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/d.htm#wp803832

0 Helpful

sbe
Level 1
Level 1
In response to mmellet

‎04-09-2007 09:42 AM

ok...i think you don't understand my question. sorry, my english is not very good. :(

i have only a problem with the intel wlan-client ...not the ms-client! with the intel-client no user-authentication is required for gain access to the wlan. the log of acs is also very curious:

szenario: machine auth successful, user auth not successful (user not in ads-group)

intel client (the acs says "auth failed" but the client gain access):

03/04/2007,15:08:05,Authen failed,testuser,Default Group,(Default),External DB account restriction,,,%DOMAIN%\%USERNAME%,10.x.y.z,,%DOMAIN%\%USERNAME%,25,CISCO-PEAP,,WLC01,

here the same log-entry with the ms-client (acs says auth failed and the client gains NO access):

03/04/2007,15:14:00,Authen failed,testdomain\testuser,Default Group,(Default),External DB account restriction,,,testdomain\testuser,10.x.y.z,,,25,MS-PEAP,,WLC01,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card