07-27-2012 07:04 AM - edited 03-10-2019 07:20 PM
Hi board,
I have a simple question regarding AAA with ISE or ACS5 and PEAP.
As we all know, the big disadvantage in PEAP is, that you cannot enforce that non-company property authenticates to the network.
Example:
Windows Domain - PEAP machine and user authentication. During Windows GINA, the machine account is used - after login, the user account is used.
If I bring my own iPad to the company, I just have to enable WLAN, enter my Domain credentials and voila! I'm in!
Some companies want to restrict the network only for company equipment.
So a simple solution to this is, EAP-TLS - but we all know that some guys don't want to build up a full blown PKI....
So here's the question:
Is is possible to enforce an authentication order in ISE or ACS.
If a authentication request for a certain client MAC address comes in (Calling station ID), then this identity has to authenticate with a machine account first (prefix "host\") and only after the machine authentication succeeded, the user authentication is allowed.
If someone want to login with a user-account, then this should not be possible, if there was not a former machine authentication.
So is this possible with ACS or ISE?
Thanks in advance!
Solved! Go to Solution.
07-27-2012 09:11 AM
Johannes,
You can prevent ipads from connecting by forcing machine authentication check in the user authentication policy.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1116684
You can also leverage the profiling feature in ISE to reject the apple devices from accessing the network.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-27-2012 09:11 AM
Johannes,
You can prevent ipads from connecting by forcing machine authentication check in the user authentication policy.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1116684
You can also leverage the profiling feature in ISE to reject the apple devices from accessing the network.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-27-2012 10:48 AM
This is exactely what I've been searching for!
Thank you!
One more thing.... this is not available for ACS, right?
07-27-2012 11:26 AM
Profiling is not, but machine authentication with machine access restrictions is.
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide