Machine Access Restriction in ACS 3.3

Answered Question
Nov 1st, 2007

Can anyone tell me how to implement Machine Access Restriction on an ACS 3.3 appliance ?

Machine must be member of the domain / company before access to wireless lan is permitted..

GR.

Remco

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 9 years 2 months ago

Configuration that you have on ACS :

- Machine authentication checked

- MAR enabled, i.e. you have checked, "Group map for successful user authentication without machine authentication" to some group, generally "".

Client/Supplicant configuration :

- Client configured to send Machine Authentication information.

You take a Computer that is a part of AD, and has been brought onto the network. This is the first time.

Computer boots up (for the first time).

Computer is configured to send Machine Credentials, so it sends them to Switch, Switch sends them to ACS, ACS checks whether the machine is a valid machine or not.

If it is, caches the "Calling-Station-Id" for the interval configured in this section.

(End user still cannot do anything yet, because MAR is yet to be processed)

Computer completes the GINA prompt.

End user presses Ctl+Alt+Del.

Types username/password (First time).

Computer passes the user credentials to switch, then switch to ACS, ACS gets it verified against AD.

If user is a valid user, then user is mapped to an ACS group, as per mapping and is in.

IF user authentication fails, even though machine authentication was successful.

Now, that was one scenario, other one is,

Your machine is NOT a part of AD, so eventually Machine Authentication will fail. But suppose the user trying to log into network has a valid username/password, but the computer he/she is using is not a part of AD.

Then you'll get some error during machine authentication on supplicant like,

Cannot log you onto domain blah blah...

But you will be allowed to provide your username/password combination.

Generally MAR is implemented to restrict such access, i.e. users trying to log into company network using non-company assets, which are most of the time virus infected.

So this is the point where this option comes into play,

"Group map for successful user authentication without machine authentication"

So even though user successfully authenticated, but user coming from the machine that is not a part of AD, will be mapped to the group as per the above option.

This is what "Calling-Station-Id" caching is.

Even though user authentication was successful. ACS will check whether the Calling-Station-Id is cached for the machine from where the good username/password is coming from? If not, you are using a wrong machine to log into network.

HTH

Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
remco.gussen Sat, 11/03/2007 - 07:06

Thank you Prem

Does this mean that all the users have to log on once with te right computer, before you can implement MAR ?

What if there is a user (with computer from company) that has neven been logged in with his username (and company computer) befor MAR was implemented ? No access for that user ?

Gr.

Remco

Premdeep Banga Sat, 11/03/2007 - 23:41

No. If a computer is a company computer i.e. that computer has been joined to the Domain, then when a user comes in who has never logged in before, will not face any issue.

What will happen is, because computer is a part of domain, so during machine authentication, the machine will be authenticated and will come onto the network and will have connectivity to the domain. And now as the computer has connectivity to the domain, any user who is a valid user on the AD, will be able to log in using their username/password.

Summarizing with Machine Authentication enabled, all the users will be able to log in, whether they have logged in before or not.

But given Machine Authentication *is* working.

Regards,

Prem

remco.gussen Sun, 11/04/2007 - 01:05

Ok, what you're explaining here, is machine authentication. I know that the computers must be in the Active Directory group too to let the users log in for the first time (or after a forced password change).

What still isn't clear to me, is the Machine Access Resttiction. The config guide speaks about cached and non-cached "calling station ID's". For the first login time, no compupter can be in the cache, so no one would be able to login (with MAR enabled). Am I right ?

jafrazie Sun, 11/04/2007 - 04:18

Let me give you an example:

Your IT dept enables 1X with machine-auth, user-auth, and PEAP. This does NOT mean all rogue assets are kept off the network. Any valid user/psswd is OK, so technically, anyone could download a supplicant on their (potentially virus-riddled) PC and log into your corporate network without issue.

This is effectively with the Machine Access Restriction was developed for.

Does this help?

Correct Answer
Premdeep Banga Sun, 11/04/2007 - 08:21

Configuration that you have on ACS :

- Machine authentication checked

- MAR enabled, i.e. you have checked, "Group map for successful user authentication without machine authentication" to some group, generally "".

Client/Supplicant configuration :

- Client configured to send Machine Authentication information.

You take a Computer that is a part of AD, and has been brought onto the network. This is the first time.

Computer boots up (for the first time).

Computer is configured to send Machine Credentials, so it sends them to Switch, Switch sends them to ACS, ACS checks whether the machine is a valid machine or not.

If it is, caches the "Calling-Station-Id" for the interval configured in this section.

(End user still cannot do anything yet, because MAR is yet to be processed)

Computer completes the GINA prompt.

End user presses Ctl+Alt+Del.

Types username/password (First time).

Computer passes the user credentials to switch, then switch to ACS, ACS gets it verified against AD.

If user is a valid user, then user is mapped to an ACS group, as per mapping and is in.

IF user authentication fails, even though machine authentication was successful.

Now, that was one scenario, other one is,

Your machine is NOT a part of AD, so eventually Machine Authentication will fail. But suppose the user trying to log into network has a valid username/password, but the computer he/she is using is not a part of AD.

Then you'll get some error during machine authentication on supplicant like,

Cannot log you onto domain blah blah...

But you will be allowed to provide your username/password combination.

Generally MAR is implemented to restrict such access, i.e. users trying to log into company network using non-company assets, which are most of the time virus infected.

So this is the point where this option comes into play,

"Group map for successful user authentication without machine authentication"

So even though user successfully authenticated, but user coming from the machine that is not a part of AD, will be mapped to the group as per the above option.

This is what "Calling-Station-Id" caching is.

Even though user authentication was successful. ACS will check whether the Calling-Station-Id is cached for the machine from where the good username/password is coming from? If not, you are using a wrong machine to log into network.

HTH

Regards,

Prem

remco.gussen Sun, 11/04/2007 - 10:25

Hi Prem

Thank you so much for your post. Hope that i'm not to tedious...

"Group map for successful user authentication without machine authentication". Then you will be mapped to that specific group. Via that group, you can configure the VLAN assignment (dynamic) to put the users in a "only Internet" VLAN ? Or what can you do with that group ? Totally restric access ?

Premdeep Banga Sun, 11/04/2007 - 21:08

It totally depends on you.

You can either place those users in an internet access only VLAN using attributes 64, 65 and 81.

OR

map them to NO ACCESS group, i.e. they fail access to the network.

Regards,

Prem

remco.gussen Sun, 11/04/2007 - 22:54

Prem

I think that it is clear to me. Thank you very much !

I'll check it and post it...

remco.gussen Mon, 11/05/2007 - 05:24

Another question: What will happen if a user belongs to more than one ACS group (member of more than one AD securit group) ? Is the dynamic VLAN assignment dependent of the first group match ?

Premdeep Banga Mon, 11/05/2007 - 11:05

On ACS one user can only be a member of one group.

If a user is on AD and is a member of multiple groups, then it depends on Group Mapping on ACS.

Example,

You have a user on AD (testuser),

That user is a member of multiple group on AD,

ADGroup1

ADGroup2

ADGroup3

And on ACS you have group Mapping,

ADGroup2----->ACS Group 5

ADGroup3----->ACS Group 9

ADGroup1----->ACS Group 15

Then as "ADGroup2--> ACS Group 5" is the first one to match, user will be placed in group 5 on ACS.

So, on ACS you can only have a user, member of one group only

HTH

Regards,

Prem

remco.gussen Wed, 11/07/2007 - 02:16

I tried PEAP Machine Authentication with a wired laptop...

This is what is in the ACS "failed login" log:

Authentication failed !

Access denied: fast-reconnect was successful but user was not found in cache

What can that be ?

ardica Wed, 11/07/2007 - 04:36

This is a known issue that should be fixed in ACS 4.1.4 version. You'd fail the first authentication attempt when using AD as backend database. Everything should work fine from the second attempt on (for the same user).

Cheers,

-Max

remco.gussen Wed, 11/07/2007 - 04:42

Thank yoy Max

I saw that that is correct. First time -> no go, second attempt is ok !

Actions

This Discussion