Machine Authentication by AD

dynacare1 · ‎01-21-2010

I'm trying to implement Machine Authentication with PEAP in ACS 5.1. The Machine should get autenticated from AD and then user authentication. We don't want to use certificate for authentication. I only selected PEAP EAP-MS-CHAPv2 protocol in Allowed Protocol.

I can authenticate by user but not by machine. We have 2008 AD. Is there any settings or any grouping i have to do on AD side or in ACS.

If someone can give us some suggestion or documentation then it will really help us solve the problem.

Thanks for your help.

Jagdeep Gambhir · ‎01-22-2010

The ideal solution to avoid non-domain machines is to put Machine Access Restriction on the ACS. Where in the user has to pass machine authentication and user authentication from the same machine to be allowed access to the network, else if the machine authentication fails (for iphones or non-domain machine) and only user authentication passes-- ACS will deny the user connection.

Here is the details of this feature:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213

Snip:

"ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required."

Hope that helps!

Regards,

~JG

Do rate helpful posts