cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3373
Views
0
Helpful
8
Replies

PEAP machine authentication only

Rutger Blom
Level 1
Level 1

We have Microsoft AD with only computer accounts. XP clients are logging in with a local Windows account. We would like to replace MAC authentication with PEAP, but we don't want the login window on the wireless connection after the user is logged in.

Can we somehow configure our ACS 4.1 and our WLC 4402 so that having a computer account in AD is enough to be authenticated to a certain SSID?

Some background: We are a Novell customer and currently our MAC authentication is done via RADIUS and Novell eDir (general LDAP).

Kind regards,

Rutger

1 Accepted Solution

Accepted Solutions

magurwara
Level 1
Level 1

You can configure machine authentication in XP. I am assuming you know how to configure 802.1x using PEAP in XP. For machine authentications to be sent from the XP machine, do check "Authenticate as Computer when computer information is available".

By default, if machine authenticaiton is successful, then user authentication does not take place.

In ACS, you can configure the unknown user policy to forward unknown user requests to your Microsoft AD domain. (ACS server must be member of AD domain to which machine belongs or a trusted domain).

View solution in original post

8 Replies 8

magurwara
Level 1
Level 1

You can configure machine authentication in XP. I am assuming you know how to configure 802.1x using PEAP in XP. For machine authentications to be sent from the XP machine, do check "Authenticate as Computer when computer information is available".

By default, if machine authenticaiton is successful, then user authentication does not take place.

In ACS, you can configure the unknown user policy to forward unknown user requests to your Microsoft AD domain. (ACS server must be member of AD domain to which machine belongs or a trusted domain).

did you mean peap/mschapv2 or peap/eap-tls?? i think this scenario sounds like peap/eap-tls and computer certificates.

PEAP/MSCHAPv2

You could use EAP-TLS as well if you configure in ACS as well as have certification authority setup properly on Microsoft Windows Domain and Clients

hmmm...we use peap/mschapv2 & acs4.0 with machine auth. a xp client (windows zero config service) must authenticate with computer- and user-account to gain access.

is one of these (user or computer) not in ads-group, than the user gains no access.

in xp "Authenticate as Computer when computer information is available" is enabled by default.

what should we do to reach the same situation as rbml77?

Hello,

For your information.

We use ACS 4.1. We created a wlan group in the local ACS database and a group-mapping to an AD group that contains computer objects only. The computer objects in AD have the dial-in enabled. The unknown user policy must be configured to look in AD.

Cisco has a very good document on how to setup PEAP/MSCHAPv2 for wireless:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml

Hello,

I actually got it to work fine with eap/mschapv2. The computer gets authenticated in AD and access is permitted to a certain SSID. I will play around a bit with eap/tls when I get the time ;-)

Kind regards,

Rutger

Hi Rutger,

Have you tried this with user accounts instead of machines in AD? So that users are created in AD, but there machines are not?

Kind regards

Kdam

Hi,

No we didn't. Our users authenticate to Novell eDirectory. They don't have accounts in AD.

Kind regards,

Rutger

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: