cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
0
Helpful
2
Replies

ACS with Machine Authentication/User Authentication with AND operator

m.yost
Level 1
Level 1

I have a customer that has ACS v4.2 which is authenticating users for a Wireless LAN controller with 802.1x PEAP. We are able to get Machine Auth/User Auth working, but only with an OR operator and not an AND operator. We want it to be so that in order for users to access the wireless, the laptop must be part of Domain Computers AND Domain Users....not Domain Computers OR Domain Users.

Right now I have Domain Computers mapped to Group 1 and Domain Users mapped to Group 2... if you have a non domain PC, you can login with your domain user credentials and thats not the desired behavior.

I tried mapping Domain Computers and Domain Users to the same group and users get stuffed into the Default group and don't authenticate.

2 Replies 2

Jagdeep Gambhir
Level 10
Level 10

Did you try to setup MAR (Machine access restrictions)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html#wp354105

Regards,

~JG

Do rate helpful posts

Yes, TAC suggested this so we turned MAR on and it appears like people are still able to authenticate with username/pass with non-domain devices. However, we currently have 2 groups: Group 1 maps to Domain Users, Group 2 maps to Domain Computers.

Do we need to only have a single group that maps to both Domain Users and Domain Computers for MAR to work?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: