Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
11
Replies

Wireless and Wired Network enforce user authentication with ACS after computer authentication

ivan.martin
Level 1
Level 1

‎09-24-2013 07:46 PM - edited ‎03-10-2019 08:55 PM

Hi my name is Ivan, i have an issue of control access in the wired and wireless network

Is possible to enforce computer authentication + user authentication with the ACS 5.3 after the computer authentication?

I have a network 802.1x eap peap to authenticate user and computer in the wired and wireless network.

The ACS has two policies to authenticate computers and users. We have 3 cases:

Case 1

When the user configures 802.1X SSID parameter specifying user or computer authentication, ACS successfully validated the computer and the user's account. This works very well

Case 2

When the user configures 802.1X SSID parameter specifying single user authentication, the ACS validates the computer prior to and after the user credential. This works fine.

Case 3

But when the user configures the SSID 802.1X parameters, specifying the computer authentication, ACS successfully validated only the computer, not the user account. When the computer was authenticated, the computer access to internet.

Need in the third case, the ACS validates both the computer and the user, when the user specifies the computer authentication and after the authentication of the computer

The case 1 and 2 works very good in the wireless and wired network.

Is possible to do it in the ACS?-

Labels:
0 Helpful
11 Replies 11

Scott Fella
Hall of Fame
Hall of Fame

‎09-24-2013 07:51 PM

I put something together a while ago and its in this thread.  You have to use MARS and have two policies defined.

https://supportforums.cisco.com/message/3525141#3525141

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

ivan.martin
Level 1
Level 1
In response to Scott Fella

‎09-24-2013 07:56 PM

Hi Scott

Thanks for your answer. MAR is enabled, I set the aging time in one month. but I need to enforce authentication of user after the authentication of the computer in the ACS 5.3

Is possible to do it?

Thanks

0 Helpful

kcnajaf
Level 7
Level 7

‎09-24-2013 07:55 PM

Hi Ivan,

Not sure if you have gone through this link.

https://supportforums.cisco.com/thread/2123696

I think your issue is detailed in there.

Regards

Najaf

Please rate when applicable or helpful !!!

0 Helpful

ivan.martin
Level 1
Level 1
In response to kcnajaf

‎09-24-2013 08:02 PM

Hi  Najaf KC

Thanks for your answer. In the link say:

Jan 18, 2012 6:29 AM

Hi All;

        Finally cisco TAC confirmed that there is no way that we can enforce user authentication with ACS.

1. when authenticate as computer option is selected on the laptop , and machine authentication on the ACS enabled.

what  happens the laptop goes through machine authentication and it gains  access, the customer wants to get prompted for a username and password  if no user name or not correct username.pass provided then he wants to  deny access.

ANS  : With MAR we can enforce machine authentication, however in the ACS it  is not possible to enforce user authentication, only machine  authentication.

So you can't enforce the user auth to be the one  who decides if the client is going to gain access or not after machine  auth succeeds.

Thanks & Regards

Sreejith R

Exists any paper, pdf or link where explain this issue in the ACS?.

Thanks for your advice.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to ivan.martin

‎09-24-2013 08:14 PM

Ivan,

In ACS 5.3, you can do machine authentication followed by a user authentication.

https://supportforums.cisco.com/docs/DOC-21825

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

ivan.martin
Level 1
Level 1
In response to ivan.martin

‎09-24-2013 08:58 PM

Thanks Jatin Katyal

I see the link but according TAC is not possible to force the second authentication in the acs v5.3

Is this true?. Exist any paper or pdf where explain it?

Regards

Ivan

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎09-25-2013 09:51 PM

Did that help you understanding the machine and user authentication (MAR) concept with ACS 5.x?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

ivan.martin
Level 1
Level 1
In response to Jatin Katyal

‎09-26-2013 09:22 AM

Hola Jatin buen dia, para coincidir con el detalle del problema lo detallo en español.

El problema es el siguiente:

El usuario configura su tarjeta de red inalambrica para utilizar autenticacion de solo computadora.

Cuando el usuario realiza esto, la computadora envia su credencial de laptop del dominio, y el acs observa el call station id de la computadora del dominio, busca en su base de datos externa la cual es el Directorio Activo, y dado que esta coincide como objeto del dominio, se autentica a la red inalambrica.

Pero el acs en ningun momento pide la autenticacion de usuario, o el prompt de autenticacion de usuario, porque la computadora ya se autentico y autorizo como objeto del dominio.

Lo que se desea es que cualesquier configuracion que el usuario realize en la tarjeta de red inalambrica para que la autenticacion sea como computadora, usuario o computadora o solo usuario, el acs siempre valide autentique la computadora y la cuenta de usuario.

Que la politica de autenticacion sea un estamente Y y no un O. Cuando el usuario configura su tarjeta de red inalambrica como usuario o computadora, el acs si ejecuta la politica de autentica para usuario y computadora porque exige al usuario validar en primer lugar la computadora.

Nuestro problema es el descrito lineas abajo Politica de Autenticacion de Computadora + Usuario, siempre el ACS debe pedir el prompt de autenticacion para usuario, asi el atributo sea de solo computadora del lado del cliente.

Saludos.

Ivan

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to ivan.martin

‎09-30-2013 04:51 PM

Could you please post the same thing in english ?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

ivan.martin
Level 1
Level 1
In response to Jatin Katyal

‎09-30-2013 09:41 PM

Hi Jatin, the post in english

Jatin Hi good day, to match the detail of the problem as I detail in Spanish.

The problem is as follows:

The user configure his  wireless network card to use computer-only authentication.

When the user does this, the computer sends the domain credential laptop, and look at the call station acs id domain computer, looking at its external database which is the Active Directory, and since this is the same as domain object, it authenticates the wireless network.

But the acs at any time ask for user authentication, or user authentication prompt because the computer already authenticate and authorize as domain object.

What is desired is that any settings that the user Realize the wireless network card for the authentication either as computer user or single-user computer, provided validate acs authenticate the computer and user account.

Let be an authentication policy and not a estamente And O. When the user configures your wireless network card as a user or computer, acs policy by running the user authenticates to computer because it requires the user to validate the computer first.

Our problem is the lines described below Computer Policy + User Authentication, ACS always should ask for user authentication prompt, so the attribute is the only client-side computer.

Greetings.

Ivan

Jatin Hi good day, to match the detail of the problem as I detail in Spanish.


The problem is as follows:


You configure your wireless network card to use computer-only authentication.


When the user does this, the computer sends the domain credential laptop, and look at the call station acs id domain computer, looking at its external database which is the Active Directory, and since this is the same as domain object, it authenticates the wireless network.


But the acs at any time ask for user authentication, or user authentication prompt because the computer already authenticate and authorize as domain object.


What is desired is that any settings that the user Realize the wireless network card for the authentication either as computer user or single-user computer, provided validate acs authenticate the computer and user account.


Let be an authentication policy and not a estamente And O. When the user configures your wireless network card as a user or computer, acs policy by running the user authenticates to computer because it requires the user to validate the computer first.


Our problem is the lines described abive Computer Policy + User Authentication, ACS always should ask for user authentication prompt, so the attribute is the only client-side computer.


Greetings.


Ivan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents