Solved: Peap and Machine authentication

relsethagen · ‎04-21-2009

I am attempting to come up with a secure deployment scenario. I have strong control over image on mobile devices. I am testing utilizing PEAP with ACS. I am currently running legacy 3.3 ACS server but am about to upgrade. The dillemma I have is that I only want to allow machines that are domain members to authenticate. I have configured machine authentication Rules to prevent access for users that have not machine authenticated, however I have test devices, specifically Iphone and Itouch devices that can still consistently authenticate using only user domain credentials. Is there something I am missing in setting up the Machine Access restriction? If there is, is this possibly something that is fixed in 4.X ACS?

r.bishop · ‎05-06-2009

Hi there,

We have this running on ACS 4.2 and the only elements we need to enable on the ACS server are under the "Machine Authentication" section of "External Databases".

Tick "Enable PEAP machine authentication".

Tick "Enable Machine Access Restrictions".

Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".

Ensure that no groups are exempt from this.

If your setup in ACS3.3 is the same but does not function, then all I can say is that it works OK in v4.2! I cannot comment on whether this is a bug in 3.3

Hope this helps,

Russell

View solution in original post

rsumpter · ‎04-27-2009

I'm curious. What rules are you referring to? ACS or the client rules?

r.bishop · ‎05-06-2009

Hi there,

We have this running on ACS 4.2 and the only elements we need to enable on the ACS server are under the "Machine Authentication" section of "External Databases".

Tick "Enable PEAP machine authentication".

Tick "Enable Machine Access Restrictions".

Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".

Ensure that no groups are exempt from this.

If your setup in ACS3.3 is the same but does not function, then all I can say is that it works OK in v4.2! I cannot comment on whether this is a bug in 3.3

Hope this helps,

Russell

colin.lynch · ‎07-21-2009

Hi Russell

What is the config if any on the windows side to allow machine authentication?

As I am seeing the PEAP user auth pass

but the machine auth fail with the below log

host/wks1.lnd.uk Authen failed EAP-TLS or PEAP authentication failed during SSL handshake

Robert.N.Barrett_2 · ‎07-22-2009

What 802.1x supplicant are you using on the Windows side? If you are using the one built-in to Windows XP (Wireless Zero Config), then you can simply check/tick the "Authenticate as computer when computer information is available" box on the authentication tab.

colin.lynch · ‎07-28-2009

Hi Robert

I am using the windows XP SP2 Supplicant

auth as machine is ticked and ACS sends machine auth to AD and fails.

PEAP user auth works fine.

Regards

Colin

colin.lynch · ‎07-28-2009

Hi Russel

What config if any did you have to do on the windows server / AD side?

Regards

Colin

brian.kachel · ‎08-06-2009

I am running into the same issue. I desire to lock out devices that are not part of the AD. We are using ACS4.2 appliances (which use the remote agents) and I beleive machine authentication works because it was enabled to allow logon scripts to run etc.

However - if I check the box to Enable Machine Access Restrictions and set it to No Access - no users can authenticate.

As mentioned earlier, the Itouch's and Iphones are prompted to continue without a certificate, and are able to get on by only providing the AD username and password.

This is the failed attempt log when MAR is enabled:

Windows External DB user access was denied due to a Machine Access Restriction

Robert.N.Barrett_2 · ‎08-14-2009

The MAR may be coming in to play because the machine didn't authenticate. The error you posted, I believe, is from when a USER account was presented for authentication without the machine having been previously authenticated.

Check the logs - do you see anything about failed auths for MACHINE accounts (or successful machine authentications in the successful auth logs)?

iceteanolemon · ‎10-07-2010

I am running into the same issue.

I can authenticate as a machine and use eap-tls for machine authentication.

I cannot however get a windows computer to combine active directory authentication with machine authentication.

I want a supplicant to send BOTH machine auth via eap-tls to satisfy the "MAR" then send the active directory username and password info to satisfy the peap.

**ps: I CAN get a user cert and active directory combined to authenticate but this is not as secure as checking the machine certificate.

I have tried and tried and can only do one or the other and not both. Anyone have input on how to do this?