PEAP with computer authentication

Unanswered Question
Oct 17th, 2007


I was wondering if it is posible to use computer authentication as well as user authentication with PEAP ? I need to make a design with a WLC and ACS. The ACS checks the correct Active Directory global group for user authentication. I also want to check the membership of a client computer in the Active Directort. Computer not member of domain, no access to WLAN. Is this posible ?

Another question, is it posible to do a trace (after three weeks) to find out witch user was connected to the wireless network, based on the ip address ?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Jagdeep Gambhir Wed, 10/17/2007 - 07:16

Hi Remco,

Yes that is very much possible. Please check this link,

On ACS --->ext db-->group mapping ---> default---> you need to set 'all other combinations should be mapped to No access acs group.

This will deny user/computer access if it is not a part of any defined group.

For tracing user you can set up radius accounting , that will let you know who/when logged in.



Please rate helpful posts

jorge.s Wed, 10/17/2007 - 08:28

could you explain how you turn on the radius accounting on the AP?

remco.gussen Wed, 10/17/2007 - 11:43


Thank you for the reply.

In the manual / link: Permit Machine Authentication... Is this mandatory or optional ? In ACS you can map a group to an external (AD) database. In AD you create a global group with usernames. You can link this group to the ACS group. Right now these are just users. Or do i need to put the computer accounts in the same glabal group ? Or nest theme ? Can you do a logical AND operation to map a ACS group ? If member of AD group "wireless users" AND if member of AD group "wireless computers", then map to ACS group and access is permitted....

Hope this is a clear description...



Jagdeep Gambhir Thu, 10/18/2007 - 12:28


Machine authentication is optional.

When machine authentication is enabled, the authentications occur in this order:

When starting a computer,

* Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.

* User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.

* You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user

login) you need to make sure to have user credential cashing on the workstation.

In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.

Hope that helps



Please rate helpful posts

remco.gussen Fri, 10/19/2007 - 00:54

Thanks JG

Problem is that the customer wants to check if the computer is member of the company.. If not, than it is a guest and just "guest" = internet access.

After check computer = company property, then further authentication...



Premdeep Banga Sat, 10/20/2007 - 09:44

If you want that user authentication should only proceed when a machine has been determined to be valid machine.

OR If I say, do not allow a user to get into network, until and unless his/her machine is a valid machine on domain.

If that is what you are looking for, the go for MAR (Machine Access Restriction) on ACS.

It is under External User Databases > Database Configuration > ..Windows...



remco.gussen Sun, 10/21/2007 - 03:38

Hi Prem

It looks like the solution to my "problem".

I'm going to test this and hope the results are ok.

Thanks for your help !



erikszewczyk Mon, 10/22/2007 - 07:49

FYI with Windows XP and earlier (I'm told this is fixed in Vista but havent had a chance to confirm) windows boxes will stop working with machine authentication when the machine password expires (by default every 30 days).

They are unable to reset their password because they cant get on the network, and they cant get on the network because their password has expired...

Just FYI for your testing and for machines that are infrequently network connected.


remco.gussen Mon, 10/29/2007 - 00:59

I have another question about PEAP in Vista / XP:

In the network profile, under PEAP settings, you can select: "Validate Server Certificate". Then you have to select the correct Root Certificate.

If you DON'T select the "Validate Server Certificate" setting (and the root certificate is installed on the computer), everything works fine too.

Why is this setting ? It seems that it is not requiered to select it..



erikszewczyk Mon, 10/29/2007 - 08:52

It's not required to use this setting in order to connect; however if you do not use it clients do not validate the identity of your authentication servers and you leave yourself open to man in the middle attacks.

In production you should pretty much always have this setting turned on.

erikszewczyk Mon, 10/29/2007 - 09:17

If you have that setting enabled than prior to sending secured credentials a client will validate a server's identity using certificates.

Having this setting on will help to mitigate a potential attacker's ability to put in their own RADIUS server posing as yours.

remco.gussen Mon, 10/29/2007 - 12:48

Ok, I understand that. You mean that there is no secure channel if this option is not enabled ?

What is the function of the certificate that must be in the store ? Keying material for the AES / TKIP encryption ?

If the option is not enabled, you are not using PEAP, isn't it ? How do you call it what you are using now ?



erikszewczyk Mon, 10/29/2007 - 12:58

I know that as the TLS channel is established the server sends the certificate to the client so that the client can confirm the identity of the server. My assumption would be that the TLS channel still gets established, but the client is just unable to confirm the identity of the server.

So without validating the certificate chain it's basically the equivilent to using self-signed HTTPS (a secure channel to a suspect target).

Some more information about PEAP with MSCHAP v2 here:


EDIT: And keying for AES/TKIP doesnt happen at the RADIUS server at all (that is between the AP and client), so this setting would have no bearing.

remco.gussen Fri, 11/02/2007 - 06:26

I can see the option "machine access restriction". But where can i configure the machines that are allowed ? Can I link it to a Windows Group ?

jafrazie Fri, 11/02/2007 - 06:42

The allowed machines are built dynamically based on machine authentications.

jorge.s Wed, 11/28/2007 - 03:58

I've configured machine authentication, but everytime I try, I get Authen Failed:

Authen failed host/ Default Group 0040.96b0.f3c7 External DB user invalid or bad password .. .. 356 taxxx056 .. .. .. .. .. .. xxx0101 .. .. .. No 25 MS-PEAP (Default) .. .. .. .. .. .. .. .. .. .. .. .. .. ..

nanou Sun, 01/06/2008 - 09:04

Guys, PEAP does not require certificate validation on the Clients. that is why your authentication was successfull.

remco.gussen Mon, 01/07/2008 - 04:32

But the certificate must be installed on the client machine to build a secure tunnel for password exchange. Isn't it ?

nanou Mon, 01/07/2008 - 15:23

Accordin to Microsoft specs, the certificate is only check if you use PEAP-EAP-TLS, PEAP by default is using PEAP-MSCHAPV2.

I am trying to figure out how to configure PEAP-EAP-TLS on an ACS.


This Discussion



Trending Topics - Security & Network