Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP strong machine authentication

Hello there,

I have some questions regarding PEAP authentication.  Specifically how  Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane  who knows PC  domain name can access network, is it true ?

Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”

I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.

So I was looking  on ACS logs and it seems that  PC just sent it’s domain name  to ACS, and it authenticates computer  by its name.After this computer have access to network. 

So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PEAP strong machine authentication

Please see your answers in line:

I have some questions regarding PEAP authentication.  Specifically  how  Machine Authentication works and how it is secured. It seems that  if I have enabled Machine Authentication in my network, every wane  who  knows PC  domain name can access network, is it true?

This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.

Here is what I mean “ Machine Authentication allows your PC to connect  to the network by authenticating as "Computer" before a legitimate user  logs in. This allows a machine to obtain group policies just like it was  connected to a wired network and this is a unique feature of the  Windows Client.”

Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.

I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.

So  I was looking  on ACS logs and it seems that  PC just sent it’s domain  name  to ACS, and it authenticates computer  by its name.After this  computer have access to network. 

The machine should have sent its computer credentials not the domain name (format is computername.domain.com).

So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?

Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.

One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
3 REPLIES
Hall of Fame Super Silver

Re: PEAP strong machine authentication

Well the main thing you have to understand is that in a windows 7 device, you can authenticate either user OR computer, not both. This is why you only see machine names in ACS. Now you can enable in ACS MAR. I wouldn't recommend this though, but that's my opinion. This will check if the machine was authenticated and them use user authentication. However, this doesn't check all the time, so any other user can log in using their ad account as long as the MAR timer has not expired. But if a user is on and the MAR timer expires, well authentication will fail and the machine will have to be rebooted and machine auth has to take place. MAR also does not work if the user uses both wired and wireless.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: PEAP strong machine authentication

Hello Scott,

Is machine authentication mandatory for Windows 7 PC to operate successfully in network ? And is it true what I say in first post, that if somebody not authorized knows PC domain name it could potentially use it  and authenticate ?

And if I correctly understand MAR checks if currently authenticated user have authenticated machine ? not authenticated machine have authenticated user ?   What I mean is when machine is authenticated with domain name I can log into machine with local username(not from AD which  is external identity store for ACS), and I have full network access, even when I have MAR enabled.

Thank you for help..

Re: PEAP strong machine authentication

Please see your answers in line:

I have some questions regarding PEAP authentication.  Specifically  how  Machine Authentication works and how it is secured. It seems that  if I have enabled Machine Authentication in my network, every wane  who  knows PC  domain name can access network, is it true?

This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.

Here is what I mean “ Machine Authentication allows your PC to connect  to the network by authenticating as "Computer" before a legitimate user  logs in. This allows a machine to obtain group policies just like it was  connected to a wired network and this is a unique feature of the  Windows Client.”

Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.

I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.

So  I was looking  on ACS logs and it seems that  PC just sent it’s domain  name  to ACS, and it authenticates computer  by its name.After this  computer have access to network. 

The machine should have sent its computer credentials not the domain name (format is computername.domain.com).

So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?

Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.

One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
624
Views
3
Helpful
3
Replies
CreatePlease login to create content