PEAP machine authentication

Unanswered Question
Jan 24th, 2012

I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work.

Please could any one suggest how to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Scott Fella Tue, 01/24/2012 - 14:09

Windows 7 can do machine authentication. On the wireless profile, you need to set it to "Computer".

Thanks,

Scott Fella

Sent from my iPhone

grabonlee Wed, 01/25/2012 - 01:19

Setting Windows 7 machines to user computer authentication from the wireless profile does not change the fact that a person could still connect with an IPhone or any unauthorised wireless device since it's dependent only on domain logon. The answer required is simply how to enforce a domain policy whereby any authenticating client will be forced to perform machine authentication before user authentication is accepted. Hence with my Iphone, I should not be able to simply access the wireless network with my user credentials.

Scott Fella Wed, 01/25/2012 - 04:33

You need to set it to computer only and not user or computer. If you set it to user or computer, the device can use either machine or user, not both. If you search the forum, there was a previous post in which some wanted to try to both machine and user. Windows 7 only does one or the other and not both.

https://supportforums.cisco.com/thread/2123696

Thanks,

Scott Fella

Sent from my iPhone

grabonlee Wed, 01/25/2012 - 04:50

Thanks but you seem to not have understood my question. You can only change wireless settings for devices you control either by using Group policy or locally on the machine. You will definitely not have control over an Iphone or unauthorised device. The question is, does PEAP machine authentication in ACS work for any authentication request from a device not on the domain?

If you have PEAP on your wireless network, one can still use any wireless device as long as the user domain account is still valid. So is the only option to purchase a NAC server ?

Nigel Bowden Wed, 01/25/2012 - 04:53

If you enforce only machine authentication using ACS (not user authentication), then only Windows machines can access the wireless network. Any other devices will never be able to join the network, as they are not members of the Windows domain.

Once Windows devices have joined the wireless network using machine authentication, then user authentication can happen in the same way as when a wired user in connected to a network.Note that user authentication is not required to get access to the wireless network, only machine authentication.

This may sound like a bit of a security flaw as a user can access the wireless network without being authenticated by the wireless network, but remember that the user must have had to supply valid user credentials to log in to the laptop (cashed Windows credentials) that he is using to access the wireless network, so is implicitly a trusted user.

Hope this helps.

Nigel.

grabonlee Wed, 01/25/2012 - 05:04

Thanks Nigel

I have ACS 4.2 and it only has an option to tick PEAP machine authentication under Unknown user policy --> Database configuration mapping, unlike 5.x where you specify other settings. I have successfully connected to the wireless network on my andriod phone with my domain logon. That means that ACS does not enforce machine authentication even if it is specified. I would like to know if there is any other setting on ACS required or on AD, which in that case I have to speak to the Server team.

Nigel Bowden Wed, 01/25/2012 - 05:32

Osita,

Remove your user to AD group mapping in ACS 4.2, then users cannot be authenticated against AD. Just leave in the machine to AD group mapping.

Nigel.

grabonlee Thu, 01/26/2012 - 01:37

Hi Nigel

Your suggestion to leave machine to AD group mapping helped. However, this was only to ensure computer account only is used. I have solved the problem. I discovered that I did not enable Machine Authentication Restriction under the Windows database configuration. Done it and no unauthorised device can connect.

grabonlee Thu, 01/26/2012 - 02:03

Also as a hint based on what Scott suggested earlier, whether you choose User authentication, User or Computer authentication or Computer authentication from the Wireless properties in a Win7 client, the user will still authenticate successfully. This is because the computer info is sent by default. I have tested by changing the properties on my domain laptop to User only athentication and I was able to authenticate. The only issue was that the mapping did not go to the wireless clients NDG I created but to the default group, even though on the AD mapping, I specified Domain computers,*.

Actions

Login or Register to take actions

This Discussion

Posted January 24, 2012 at 2:04 PM
Stats:
Replies:10 Avg. Rating:
Views:858 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard