Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS with Machine Authentication/User Authentication with AND operator

I have a customer that has ACS v4.2 which is authenticating users for a Wireless LAN controller with 802.1x PEAP. We are able to get Machine Auth/User Auth working, but only with an OR operator and not an AND operator. We want it to be so that in order for users to access the wireless, the laptop must be part of Domain Computers AND Domain Users....not Domain Computers OR Domain Users.

Right now I have Domain Computers mapped to Group 1 and Domain Users mapped to Group 2... if you have a non domain PC, you can login with your domain user credentials and thats not the desired behavior.

I tried mapping Domain Computers and Domain Users to the same group and users get stuffed into the Default group and don't authenticate.

2 REPLIES

Re: ACS with Machine Authentication/User Authentication with AND

Did you try to setup MAR (Machine access restrictions)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/UsrDb.html#wp354105

Regards,

~JG

Do rate helpful posts

New Member

Re: ACS with Machine Authentication/User Authentication with AND

Yes, TAC suggested this so we turned MAR on and it appears like people are still able to authenticate with username/pass with non-domain devices. However, we currently have 2 groups: Group 1 maps to Domain Users, Group 2 maps to Domain Computers.

Do we need to only have a single group that maps to both Domain Users and Domain Computers for MAR to work?

245
Views
0
Helpful
2
Replies
CreatePlease login to create content