ACS with Machine Authentication/User Authentication with AND operator

Unanswered Question
May 27th, 2009

I have a customer that has ACS v4.2 which is authenticating users for a Wireless LAN controller with 802.1x PEAP. We are able to get Machine Auth/User Auth working, but only with an OR operator and not an AND operator. We want it to be so that in order for users to access the wireless, the laptop must be part of Domain Computers AND Domain Users....not Domain Computers OR Domain Users.

Right now I have Domain Computers mapped to Group 1 and Domain Users mapped to Group 2... if you have a non domain PC, you can login with your domain user credentials and thats not the desired behavior.

I tried mapping Domain Computers and Domain Users to the same group and users get stuffed into the Default group and don't authenticate.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
m.yost Fri, 05/29/2009 - 18:43

Yes, TAC suggested this so we turned MAR on and it appears like people are still able to authenticate with username/pass with non-domain devices. However, we currently have 2 groups: Group 1 maps to Domain Users, Group 2 maps to Domain Computers.

Do we need to only have a single group that maps to both Domain Users and Domain Computers for MAR to work?

Actions

This Discussion