Can anyone tell me how to implement Machine Access Restriction on an ACS 3.3 appliance ?
Machine must be member of the domain / company before access to wireless lan is permitted..
Configuration that you have on ACS :
- Machine authentication checked
- MAR enabled, i.e. you have checked, "Group map for successful user authentication without machine authentication" to some group, generally "".
Client/Supplicant configuration :
- Client configured to send Machine Authentication information.
You take a Computer that is a part of AD, and has been brought onto the network. This is the first time.
Computer boots up (for the first time).
Computer is configured to send Machine Credentials, so it sends them to Switch, Switch sends them to ACS, ACS checks whether the machine is a valid machine or not.
If it is, caches the "Calling-Station-Id" for the interval configured in this section.
(End user still cannot do anything yet, because MAR is yet to be processed)
Computer completes the GINA prompt.
End user presses Ctl+Alt+Del.
Types username/password (First time).
Computer passes the user credentials to switch, then switch to ACS, ACS gets it verified against AD.
If user is a valid user, then user is mapped to an ACS group, as per mapping and is in.
IF user authentication fails, even though machine authentication was successful.
Now, that was one scenario, other one is,
Your machine is NOT a part of AD, so eventually Machine Authentication will fail. But suppose the user trying to log into network has a valid username/password, but the computer he/she is using is not a part of AD.
Then you'll get some error during machine authentication on supplicant like,
Cannot log you onto domain blah blah...
But you will be allowed to provide your username/password combination.
Generally MAR is implemented to restrict such access, i.e. users trying to log into company network using non-company assets, which are most of the time virus infected.
So this is the point where this option comes into play,
"Group map for successful user authentication without machine authentication"
So even though user successfully authenticated, but user coming from the machine that is not a part of AD, will be mapped to the group as per the above option.
This is what "Calling-Station-Id" caching is.
Even though user authentication was successful. ACS will check whether the Calling-Station-Id is cached for the machine from where the good username/password is coming from? If not, you are using a wrong machine to log into network.