Tips to make Machine Authentication Work - PEAP Authentication

Document

Jan 6, 2012 8:58 AM
Jan 6th, 2012


Introduction

What are the several things that we have to do before the machine authentication can work?

Solution

1. Under Users and Identity stores > Active Directory: Make sure: ACS is joined to your domain and you can see the needed groups under Directory Groups

2. Check the box "enable machine authentication"

Aging time (hours): Once a machine is authenticated this timer starts to tick. Once the time is up the machine would have to be restarted in order for machine authentication to re‐occur. (8 or more hours should be fine)

3. Under Access Policies perform the following:

a. Select Access Services and click on 'Create'

b. Name it 'Wireless network access' (or whatever you like)

c. Under 'User Selected Services Type' select Network Access

d. Under 'Policy Structure' select Identity and Authorization

e. Click 'Next'

f. Step 2 ‐ Allowed Protocols select the following:

i. Process Host Lookup

ii. Allow PEAP

iii. Allow EAP‐MS‐CHAPv2

iv. Allow Password Change

g. Click 'Finish'

h. The following popup will appear, click 'Yes’ to accept

Access Service created successfully. Would you like to modify the Service Selection policy to activate this service?

4. Under 'Service Selection Rules'

a. 'Customize' (on the bottom right side) *Optional

b. You can choose whatever you want to match, but for this, I will make it simple. Choose

only the following:

i. Protocol

ii. Device IP Address *Optional

c. Click 'Ok'

d. Click 'Create'

e. Name it 'Wireless network access' (or whatever you like)

f. Click 'Protocol' and match 'Radius'

g. 'Service' should be the 'Access Service' you created in step #1

h. Check 'Device IP Address' *Optional

i. Input the ip address of the WLC (Management IP) *Optional

j. Click 'Add v' *Optional

k. Under Results | Service choose the service you created *Optional

l. Click 'Ok'

m. Click 'Save Changes' on the bottom

5. Under Access Policies | Access Services | <Your new rule>

a. Select 'Identity'

b. Under 'Identity Source' choose AD1

c. Click 'Save Changes' on the bottom

6. Under Access Policies | Access Services | <Your new rule>

a. Select 'Authorization'

b. Click 'Customize' (on the bottom right side)

c. You can choose whatever you want to match, but for this, I will make it simple.

Choose only the following:

i. System:UserNAme

ii. Was Machine Authenticated

iii. AD1:ExternalGroups

iv. Remove Compound Conditions!!!!!

v. Click 'Ok'

vi. Click 'Save Changes' on the bottom

7. YOU WILL NEED TO CREATE TWO RULES

1. RULE #1

i. Click 'Create' and name the rule if you wish

ii. Make sure the Status is set to 'Enabled'

iii. Check 'Systen:UserName'

iv. The rule should be as follows" 'starts with' input 'host/' without the quotes

v. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'

vi. Click 'Ok' and Click 'Ok' again

vii. This is all for this rule.

viii. Click 'Ok' on the bottom

2. RULE #2

i. Click 'Create' and name the rule if you wish

ii. Make sure the Status is set to 'Enabled'

iii. Check 'Was Machine Authenticated'

iv. The rule should be as follows" '= True'

v. Check 'AD1:ExternalGroups' and select 'contains any'

vi. Click on 'Select' and choose the AD user group in which the user resides in

vii. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'

viii. That is all for this rule.

ix. Click 'Ok' on the bottom

c. DEFAULT Rule

i. Click 'Default' at the bottom

ii. Deselect Permit Access and Select Deny Access

iii. Click 'Ok'

iv. Click 'Save Changes' on the bottom

Reference

https://supportforums.cisco.com/thread/2053236

https://supportforums.cisco.com/message/3525141

Scenario

We are building a new wireless network complete with a new ACS 5.2 appliance and new LAN controllers with WCS.  We want to create an encrypted/secured SSID that ONLY machines managed by us can access the LAN with.  We are looking for the best solution with the least amount of complexity.  After several discussions in-house, we are looking to use PEAP authentication (currently testing with a self-signed cert), then create an access policy in ACS to validate the machine is a member of Active Directory.  Unfortunately I cannot find the way to validate the machine's membership.  I'm not sure if I am missing something, or if this is even possible.  If anyone has any suggestions to make this happen, or a better way to handle this, I'd appreciate the assistance.

Solution

What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.

Then you can also set the ACS to only allow a user to authenticate if the machine has been authenticated before.

you have to enable machine auth on the  ACS server (Users and Identity Stores --> External Identity Stores  --> Active Directory, check the Enable Machine Authentication box)?

Also  - under Access Policies --> Access Services, on the Allowed  Protocols tab, you enable the "Process Host Lookup" option

Create an access policy, enable PEAP-MSCHAPv2/Process Host  Lookup, define conditions by using Identity Group and Was Machine  Authenticated which looks like:

     1) if Identity group  in machine group, then permit access

     2) if Identity group in user group and Was Machine authenticated, then permit access

     3) default deny access

Reference

https://supportforums.cisco.com/thread/2014145

Average Rating: 0 (0 ratings)

Comments

ohansen Mon, 01/23/2012 - 01:54

This works fine, at least in a lab scenario, but there are a few things to be aware of here:

1) The computer will get network access, through the computer authentication, without a user logged in. This may or may not be OK, depending on what the security requirements, and one might have to play with VLAN assignments/ACLs if the goal is to not allow full network access for a device until a user logs in.

2) If one uses Windows 7 and the default supplicant, one must be aware of the way it works. If "user or computer" authentication is selected, then the following will happen:

  • When the user boots his computer, computer authentication will take place
  • When the user logs in, user authentication will take place
  • Periodic re-authentication will take place with the interval set on the AP or controller, the "session-timeout" (by default every 30 mins). If the user is not logged in then computer authentication will take place, if he is then user authentication will.
  • When the user is logged in, only user authentication will ever take place, computer authentication never does.
  • When the user logs out, computer authentication will take place
  • When the user suspends his computer without having logged out, and resumes it, user authentication will take place (if suspended for longer than the session-timeout)
  • The "was machine authenticated" is only valid for the period set under "Machine Access Restrictions", in ACS by default 3 hours.

The above means that we will have to set the MAR appropriately, otherwise after 3 hours and a bit, the user will lose network access as although periodic user authentication has taken place, computer authentication has not.

However, even if we set the MAR to a longer value things are not guaranteed to work as we wish: let's say we set it to 24 hours. The user boots his laptop at 9am, and logs in immediately. In the afternoon he closes the lid on it, without logging out. If he comes back into the office before 9am he will get network access, but after 9am his session will fail. We could set the MAR to a much larger value, but not every security-minded person will be happy with that, and some users keep their laptops running with them logged in for as long as they can, and expecting them to have to log out or reboot to get network access isn't really acceptable in this day and age.

The above might be more of a Microsoft Windows 7 issue than a Cisco issue, but important to keep in mind.

toddsnyder@gmail.com Fri, 04/06/2012 - 09:25

Followed these exact instructions with an XP client in a Windows 2008 R2 domain and I get the following error in ACS:

"ACS has not been able to confirm previous successful machine authentication for user in Active Directory"

I verified that this worked with a Windows 7 client.  Trying a patch from MS that will hopefully fix it.  I don't see the machine auth coming across for the XP client.

The MS patch worked.

kfriedel Thu, 04/19/2012 - 08:25

Hi,

I configured (ACS5.1) like the second Solution above:

AD groups are selected, "enable machine authentication" is OK, Protocols allowed: PEAP; Process Host Lookup

Access Policy: Identity --> AD1

                       Authorization--> like above

                        1) if Identity group  in machine group, then permit access

                        2) if Identity group in user group and Was Machine authenticated, then permit access

                        3) default deny access

The Problem is:  Machine Authentication does not work

Monitoring and Reports:  only User Authentication:

Evaluating Identity Policy

15004  Matched rule

15013  Selected Identity Store -  AD1
24430  Authenticating user against Active  Directory
24416  User's Groups retrieval from Active  Directory succeeded
24402  User authentication against Active Directory  succeeded

22037  Authentication Passed

Does anyone know whats wrong in our Configuration?

Thanks in advance

toddsnyder@gmail.com Thu, 04/19/2012 - 10:02 (reply to kfriedel)

Klaus,

Your first rule is incorrect.  You aren't matching the machine to a group in AD, you're just looking up in AD that it exists.  This should be the first rule:

i. Click 'Create' and name the rule if you wish

ii. Make sure the Status is set to 'Enabled'

iii. Check 'Systenm:UserName'

iv. The rule should be as follows" 'starts with' input 'host/' without the quotes

v. Under 'Results' 'Authorization Profiles' click 'Select' and choose 'Permit Access'

vi. Click 'Ok' and Click 'Ok' again

vii. This is all for this rule.

viii. Click 'Ok' on the bottom

kfriedel Fri, 04/20/2012 - 05:39 (reply to toddsnyder@gmail.com)

Hi Todd,

It still doesn't work.

Please let's analyse step by step:

For Identity: single result selection

                    "Identitiy Source": AD1

For Authorization :

     Rule 1: Condition #1 System:UserName: Starts with : host/ ...

                 Authorization profile: Permit Access

     Rule 2: Condition #1 Was Machine Authenticated = True ...

                 Condition #2 AD1: External Groups:

                                      contains any:   domain\usergroup

                 Authorization profile: Permit Access

    Default: Authorization profile: Deny Access

I use a notebook XP SP3. It is a domain member ("domain"/SystemGroups/Domain Computers)

and the user is in a security group for "WlanUser"

Problem:

ACS only match the Default Rule for Authorization:

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store -  AD1
24430  Authenticating user against Active  Directory
24416  User's Groups retrieval from Active  Directory succeeded
24402  User authentication against Active Directory  succeeded

22037  Authentication Passed

Evaluating Group Mapping Policy

11824  EAP-MSCHAP authentication attempt  passed
12305  Prepared EAP-Request with another PEAP  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12304  Extracted EAP-Response containing PEAP  challenge-response
11810  Extracted EAP-Response for inner method  containing MSCHAP challenge-response
11814  Inner EAP-MSCHAP authentication  succeeded
11519  Prepared EAP-Success for inner EAP  method
12314  PEAP inner method finished  successfully
12305  Prepared EAP-Request with another PEAP  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12304  Extracted EAP-Response containing PEAP  challenge-response
12306  PEAP authentication  succeeded

11503  Prepared EAP-Success

24423  ACS has not been able to confirm previous  successful machine authentication for user in Active Directory
Evaluating Exception Authorization  Policy

15042  No rule was matched

Evaluating Authorization Policy

15006  Matched Default Rule

15016  Selected Authorization Profile -  DenyAccess
15039  Selected Authorization Profile is  DenyAccess

11003  Returned RADIUS Access-Reject

regards Klaus

Scott Fella Fri, 04/20/2012 - 05:42 (reply to kfriedel)

I usually see this error:

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

when the device is not rebooted or the timer for MAR has expired. 

kfriedel Wed, 05/02/2012 - 07:05

hi Todd,

We tested a lot. It didn't work with XP but it works well with WIN7.

We see the problem in client settings:

you can choose "machine authentication", "user authentication" or "user or machine authentication"

If you choose "machine authentication" then (machine is AD member) -->access permit (rule 1)

without user authentication.

Only if you choose  "user or machine authentication" then it works well with both rules.

Thanks Klaus

Actions

Login or Register to take actions

This Document

Posted January 6, 2012 at 8:58 AM
Stats:
Comments:9 Avg. Rating:0
Views:5810 Contributors:5
Shares:0
Tags: No tags.

Documents Leaderboard