I am attempting to come up with a secure deployment scenario. I have strong control over image on mobile devices. I am testing utilizing PEAP with ACS. I am currently running legacy 3.3 ACS server but am about to upgrade. The dillemma I have is that I only want to allow machines that are domain members to authenticate. I have configured machine authentication Rules to prevent access for users that have not machine authenticated, however I have test devices, specifically Iphone and Itouch devices that can still consistently authenticate using only user domain credentials. Is there something I am missing in setting up the Machine Access restriction? If there is, is this possibly something that is fixed in 4.X ACS?
We have this running on ACS 4.2 and the only elements we need to enable on the ACS server are under the "Machine Authentication" section of "External Databases".
Tick "Enable PEAP machine authentication".
Tick "Enable Machine Access Restrictions".
Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".
Ensure that no groups are exempt from this.
If your setup in ACS3.3 is the same but does not function, then all I can say is that it works OK in v4.2! I cannot comment on whether this is a bug in 3.3
Hope this helps,