Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
2
Replies

Cisco Wireless Machine and user authentication

mark.cronin
Level 2
Level 2

‎10-21-2008 07:56 AM - edited ‎03-10-2019 04:08 PM

Hi

Yesterday we fixed the problem with Wireless laptops only needing to authenticate with machine only by altering the Wireless EAP group policy

To

“Computer authentication: With user re-authentication”

it was "computer only" previously.

Now when you start the laptop in the proximity of the Wireless access points the laptop uses machine and user authentication and successfully authenticates with PEAP.

This has highlighted a problem when users take their laptops from their desk already logged on down to the wireless Network as the infrastructure is now configured to use machine and username authentication with machine access restrictions enabled. now when the laptop is already logged on it will

try to authenticate with the username only.

The following report is logged on the ACS 4.1

Wireless access is denied with the following Windows External DB user access was denied due to a Machine Access Restriction

Is there anyway of ensuring that the Microsoft supplicant issues a machine authentication prior to user authentication?

Mark

Labels:
0 Helpful
2 Replies 2

mark.cronin
Level 2
Level 2

‎10-22-2008 02:29 AM

Hi

I have found the attached article detailing the problem.

Has anyone found a workaround so that machine and user authentication can still be used

Mark

Preview file
36 KB
0 Helpful

guibarati
Level 4
Level 4
In response to mark.cronin

‎10-28-2008 03:42 PM

I would use the authmode registry key.

see microsoft text.:

The AuthMode registry value (found at HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\AuthMode) affects the behavior of computer authentication and user authentication. The AuthMode value can be set to the following:

0 - Computer authentication is performed when the wireless client computer is started. When a user logs in, if the computer authentication was successful, user authentication is not performed. This setting has been deprecated and its use is discouraged. This is the default setting for Windows XP with no service packs installed.

1 - Computer authentication is performed when the wireless client computer is started. When a user logs in, user authentication occurs. When the user logs out, computer authentication occurs. This is the default setting for Windows XP SP1, Windows XP SP2, and Windows Server 2003.

2 - Computer authentication is performed when the wireless client computer is started. User authentication is never performed.

I would leave the computer authenticate, then the user will have access to the LAN to autenticate, but can still autenticate with no computer

0 Helpful
Customers Also Viewed These Support Documents