PEAP machine authentication only

Answered Question
Apr 2nd, 2007
User Badges:

We have Microsoft AD with only computer accounts. XP clients are logging in with a local Windows account. We would like to replace MAC authentication with PEAP, but we don't want the login window on the wireless connection after the user is logged in.

Can we somehow configure our ACS 4.1 and our WLC 4402 so that having a computer account in AD is enough to be authenticated to a certain SSID?


Some background: We are a Novell customer and currently our MAC authentication is done via RADIUS and Novell eDir (general LDAP).


Kind regards,

Rutger

Correct Answer by magurwara about 9 years 12 months ago

You can configure machine authentication in XP. I am assuming you know how to configure 802.1x using PEAP in XP. For machine authentications to be sent from the XP machine, do check "Authenticate as Computer when computer information is available".


By default, if machine authenticaiton is successful, then user authentication does not take place.


In ACS, you can configure the unknown user policy to forward unknown user requests to your Microsoft AD domain. (ACS server must be member of AD domain to which machine belongs or a trusted domain).


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
magurwara Tue, 04/03/2007 - 18:16
User Badges:

You can configure machine authentication in XP. I am assuming you know how to configure 802.1x using PEAP in XP. For machine authentications to be sent from the XP machine, do check "Authenticate as Computer when computer information is available".


By default, if machine authenticaiton is successful, then user authentication does not take place.


In ACS, you can configure the unknown user policy to forward unknown user requests to your Microsoft AD domain. (ACS server must be member of AD domain to which machine belongs or a trusted domain).


magurwara Tue, 04/10/2007 - 18:15
User Badges:

PEAP/MSCHAPv2


You could use EAP-TLS as well if you configure in ACS as well as have certification authority setup properly on Microsoft Windows Domain and Clients

hmmm...we use peap/mschapv2 & acs4.0 with machine auth. a xp client (windows zero config service) must authenticate with computer- and user-account to gain access.


is one of these (user or computer) not in ads-group, than the user gains no access.


in xp "Authenticate as Computer when computer information is available" is enabled by default.


what should we do to reach the same situation as rbml77?



Rutger Blom Wed, 04/11/2007 - 01:44
User Badges:

Hello,


For your information.

We use ACS 4.1. We created a wlan group in the local ACS database and a group-mapping to an AD group that contains computer objects only. The computer objects in AD have the dial-in enabled. The unknown user policy must be configured to look in AD.

Cisco has a very good document on how to setup PEAP/MSCHAPv2 for wireless:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

Rutger Blom Tue, 04/10/2007 - 23:50
User Badges:

Hello,


I actually got it to work fine with eap/mschapv2. The computer gets authenticated in AD and access is permitted to a certain SSID. I will play around a bit with eap/tls when I get the time ;-)


Kind regards,

Rutger

kelvindam Wed, 06/20/2007 - 13:21
User Badges:

Hi Rutger,


Have you tried this with user accounts instead of machines in AD? So that users are created in AD, but there machines are not?


Kind regards


Kdam

Rutger Blom Tue, 06/26/2007 - 09:24
User Badges:

Hi,


No we didn't. Our users authenticate to Novell eDirectory. They don't have accounts in AD.


Kind regards,

Rutger

Actions

This Discussion

 

 

Trending Topics - Security & Network