Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ACS5 / ISE: PEAP authentication - first machine then user

Hi board,

I have a simple question regarding AAA with ISE or ACS5 and PEAP.

As we all know, the big disadvantage in PEAP is, that you cannot enforce that non-company property authenticates to the network.

Example:

Windows Domain - PEAP machine and user authentication. During Windows GINA, the machine account is used - after login, the user account is used.

If I bring my own iPad to the company, I just have to enable WLAN, enter my Domain credentials and voila! I'm in!

Some companies want to restrict the network only for company equipment.

So a simple solution to this is, EAP-TLS - but we all know that some guys don't want to build up a full blown PKI....

So here's the question:

Is is possible to enforce an authentication order in ISE or ACS.

If a authentication request for a certain client MAC address comes in (Calling station ID), then this identity has to authenticate with a machine account first (prefix "host\") and only after the machine authentication succeeded, the user authentication is allowed.

If someone want to login with a user-account, then this should not be possible, if there was not a former machine authentication.

So is this possible with ACS or ISE?

Thanks in advance!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACS5 / ISE: PEAP authentication - first machine then user

Johannes,

You can prevent ipads from connecting by forcing machine authentication check in the user authentication policy.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1116684

You can also leverage the profiling feature in ISE to reject the apple devices from accessing the network.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
3 REPLIES

Re: ACS5 / ISE: PEAP authentication - first machine then user

Johannes,

You can prevent ipads from connecting by forcing machine authentication check in the user authentication policy.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1116684

You can also leverage the profiling feature in ISE to reject the apple devices from accessing the network.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Re: ACS5 / ISE: PEAP authentication - first machine then user

This is exactely what I've been searching for!

Thank you!

One more thing.... this is not available for ACS, right?

Re: ACS5 / ISE: PEAP authentication - first machine then user

Profiling is not, but machine authentication with machine access restrictions is.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1254965

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
927
Views
0
Helpful
3
Replies
CreatePlease login to create content