Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS, WCS, PEAP, Machine Authentication

We are building a new wireless network complete with a new ACS 5.2 appliance and new LAN controllers with WCS.  We want to create an encrypted/secured SSID that ONLY machines managed by us can access the LAN with.  We are looking for the best solution with the least amount of complexity.  After several discussions in-house, we are looking to use PEAP authentication (currently testing with a self-signed cert), then create an access policy in ACS to validate the machine is a member of Active Directory.  Unfortunately I cannot find the way to validate the machine's membership.  I'm not sure if I am missing something, or if this is even possible.  If anyone has any suggestions to make this happen, or a better way to handle this, I'd appreciate the assistance. 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS, WCS, PEAP, Machine Authentication

What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.

Then you can also set the ACS to only allow a user to authenticate if the machien has been authenticated before.

you have to enable machine auth on the  ACS server (Users and Identity Stores --> External Identiry Stores  --> Active Directory, check the Enable Machine Authentication box)?

Also  - under Access Policies --> Access Services, on the Allowed  Protocols tab, you enable the "Process Host Lookup" option

Create an access policy, enable PEAP-MSCHAPv2/Process Host  Lookup, define conditions by using Identity Group and Was Machine  Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

More details in discussions like https://supportforums.cisco.com/thread/2014145

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

5 REPLIES
Cisco Employee

Re: ACS, WCS, PEAP, Machine Authentication

What you need is machine authentication. The machine will first authenticate with its credentials (AD account) and then the user will authenticate too. This option is available under the windows client.

Then you can also set the ACS to only allow a user to authenticate if the machien has been authenticated before.

you have to enable machine auth on the  ACS server (Users and Identity Stores --> External Identiry Stores  --> Active Directory, check the Enable Machine Authentication box)?

Also  - under Access Policies --> Access Services, on the Allowed  Protocols tab, you enable the "Process Host Lookup" option

Create an access policy, enable PEAP-MSCHAPv2/Process Host  Lookup, define conditions by using Identity Group and Was Machine  Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

More details in discussions like https://supportforums.cisco.com/thread/2014145

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

New Member

Re: ACS, WCS, PEAP, Machine Authentication

Thanks Nicholas,

The Was Machine Authenticated flag was my issue.  The rest was already in place. 

Thank you

New Member

Re: ACS, WCS, PEAP, Machine Authentication

I also set this up for a customer. Their AD had 3 seprate forests that were set to trust eachother. I could enumerate groups from all three forests in the select group section (not using groups yet just checking could see them)

However only machines that are in the configured "Active Directory Domain Name" and one of the other two will authenticate. If a machine belongs to the third domain an error 24485 Machie authentication against Active Directory has failed because of wrong password.

I didn't realise machines could have the wrong password, but even so can anyone explain what is happening here?

reload in 25 years
New Member

Re: ACS, WCS, PEAP, Machine Authentication

The domain connection to the nachine was stale; The machine was re-joined to the domain and it woked as normal.

reload in 25 years

ACS, WCS, PEAP, Machine Authentication

Check this Doc

Tips to make Machine Authentication Work - PEAP Authentication - https://supportforums.cisco.com/docs/DOC-21825

Thanks.

Thanks & Regards
11360
Views
5
Helpful
5
Replies
CreatePlease to create content