Banging my head bad! Need help w/machine authentication

Unanswered Question
Oct 20th, 2009

I have spend the past two weeks, yes sadly so, trying to figure out how to get my WLAN to authenticate computers and users. I originally set up my infrastructure so that my clients connected to an AP, the AP had a WLSE as a RADIUS which then passed the credentials to Active Directory via Cisco Secure Agent for use authentication. This worked, but when my users log off, the machine loses network connectivity so I need to get the "Authenticate as computer when available working". From what I can tell, the WLSE and Cisco ACS agent for Windows does not support machine authentication. My plan was to install IAS and a certificate server on my domain and have that act as the radius server instead of the WLSE and ACS. I installed those, but never go any luck with authentication. I read somewhere that it may not be possible to use IAS and WDS together and I do have one of my access points setup as WDS.

My question is does anyone know of a way that I can enable machine authentication without so much pain. It would excellent if I could do this using the WLSE and possibly ACS. I was even hoping that Cisco may have a supplicant that offered such authentication without the pain.

I need the network to be secure, WPA2 and AES preferred, because it is for health care.

Any suggestions. I am really at a loss here. I thought for sure that the IAS server would have been the solution, but no dice.

Thanks so much.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Fri, 10/23/2009 - 05:42

Hi,

you are correct,WLSE Express does not support Machine Authentication but this can be done with WLC and ACS

======================================================

STEPS TO CONFIGURE MAC AUTHENTICATION with WLC/AP/ACS:

======================================================

1] On the WLC Web GUI:

Security>RADIUS authentication>New>

2] Add ACS server IP, ASCII Shared secret, port number and check the boxes for network user, management, IPSEC if used for AAA authentication

3] On the ACS server: Network Configuration>Add entry>

4] Add WLC hostname, IP address and matching shared key, for authenticate using select RADIUS Cisco Aironet or Cisco Airespace if using ACS 4.0/4.2

To configure the WLC so AP's authenticate against ACS:

5] On the WLC:

Security>AP Policies>Select the checkbox for Authorize APs against AAA

6] On the ACS server:

Create an account for the client, based on its MAC address. For example, if the MAC address of the client is 00-15-C5-3A-E4-0D

Username : 0015c53ae40d

Password : 0015c53ae40d

Add a user account for the MAC address of the AP with no dots or dashes, the password will also be the MAC address of the AP with no dots or dashes.

STEPS TO CONFIGURE USER WITH MACHINE AUTHENTICATION:

With ACS, I would like to know what EAP flavor are you using along with MAC authentication.

You may go through the following link as per your requirement, I understand that reviewing link is not less than any pain but this is something we have very precise for you.

LEAP/MAC Authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a

00805e7a13.shtml

Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

On the windows xp sp 2 clients we can force machine , user or both the authentication by registry tweak.

HTH

JK

Plz rate helpful posts-

Actions

This Discussion