05-27-2009 04:05 PM - edited 03-10-2019 04:30 PM
I have a customer that has ACS v4.2 which is authenticating users for a Wireless LAN controller with 802.1x PEAP. We are able to get Machine Auth/User Auth working, but only with an OR operator and not an AND operator. We want it to be so that in order for users to access the wireless, the laptop must be part of Domain Computers AND Domain Users....not Domain Computers OR Domain Users.
Right now I have Domain Computers mapped to Group 1 and Domain Users mapped to Group 2... if you have a non domain PC, you can login with your domain user credentials and thats not the desired behavior.
I tried mapping Domain Computers and Domain Users to the same group and users get stuffed into the Default group and don't authenticate.
05-29-2009 12:54 PM
Did you try to setup MAR (Machine access restrictions)
Regards,
~JG
Do rate helpful posts
05-29-2009 06:43 PM
Yes, TAC suggested this so we turned MAR on and it appears like people are still able to authenticate with username/pass with non-domain devices. However, we currently have 2 groups: Group 1 maps to Domain Users, Group 2 maps to Domain Computers.
Do we need to only have a single group that maps to both Domain Users and Domain Computers for MAR to work?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: