09-24-2013 07:46 PM - edited 03-10-2019 08:55 PM
Hi my name is Ivan, i have an issue of control access in the wired and wireless network
Is possible to enforce computer authentication + user authentication with the ACS 5.3 after the computer authentication?
I have a network 802.1x eap peap to authenticate user and computer in the wired and wireless network.
The ACS has two policies to authenticate computers and users. We have 3 cases:
Case 1
When the user configures 802.1X SSID parameter specifying user or computer authentication, ACS successfully validated the computer and the user's account. This works very well
Case 2
When the user configures 802.1X SSID parameter specifying single user authentication, the ACS validates the computer prior to and after the user credential. This works fine.
Case 3
But when the user configures the SSID 802.1X parameters, specifying the computer authentication, ACS successfully validated only the computer, not the user account. When the computer was authenticated, the computer access to internet.
Need in the third case, the ACS validates both the computer and the user, when the user specifies the computer authentication and after the authentication of the computer
The case 1 and 2 works very good in the wireless and wired network.
Is possible to do it in the ACS?-
09-24-2013 07:51 PM
I put something together a while ago and its in this thread. You have to use MARS and have two policies defined.
https://supportforums.cisco.com/message/3525141#3525141
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-24-2013 07:56 PM
Hi Scott
Thanks for your answer. MAR is enabled, I set the aging time in one month. but I need to enforce authentication of user after the authentication of the computer in the ACS 5.3
Is possible to do it?
Thanks
09-24-2013 07:55 PM
Hi Ivan,
Not sure if you have gone through this link.
https://supportforums.cisco.com/thread/2123696
I think your issue is detailed in there.
Regards
Najaf
Please rate when applicable or helpful !!!
09-24-2013 08:02 PM
Hi Najaf KC
Thanks for your answer. In the link say:
Hi All;
Finally cisco TAC confirmed that there is no way that we can enforce user authentication with ACS.
1. when authenticate as computer option is selected on the laptop , and machine authentication on the ACS enabled.
what happens the laptop goes through machine authentication and it gains access, the customer wants to get prompted for a username and password if no user name or not correct username.pass provided then he wants to deny access.
ANS : With MAR we can enforce machine authentication, however in the ACS it is not possible to enforce user authentication, only machine authentication.
So you can't enforce the user auth to be the one who decides if the client is going to gain access or not after machine auth succeeds.
Thanks & Regards
Sreejith R
Exists any paper, pdf or link where explain this issue in the ACS?.
Thanks for your advice.
09-24-2013 08:14 PM
Ivan,
In ACS 5.3, you can do machine authentication followed by a user authentication.
https://supportforums.cisco.com/docs/DOC-21825
~BR
Jatin Katyal
**Do rate helpful posts**
09-24-2013 08:58 PM
Thanks Jatin Katyal
I see the link but according TAC is not possible to force the second authentication in the acs v5.3
Is this true?. Exist any paper or pdf where explain it?
Regards
Ivan
09-24-2013 09:04 PM
that's not true.
Please check the below listed link:
~BR
Jatin Katyal
**Do rate helpful posts**
09-25-2013 09:51 PM
Did that help you understanding the machine and user authentication (MAR) concept with ACS 5.x?
~BR
Jatin Katyal
**Do rate helpful posts**
09-26-2013 09:22 AM
Hola Jatin buen dia, para coincidir con el detalle del problema lo detallo en español.
El problema es el siguiente:
El usuario configura su tarjeta de red inalambrica para utilizar autenticacion de solo computadora.
Cuando el usuario realiza esto, la computadora envia su credencial de laptop del dominio, y el acs observa el call station id de la computadora del dominio, busca en su base de datos externa la cual es el Directorio Activo, y dado que esta coincide como objeto del dominio, se autentica a la red inalambrica.
Pero el acs en ningun momento pide la autenticacion de usuario, o el prompt de autenticacion de usuario, porque la computadora ya se autentico y autorizo como objeto del dominio.
Lo que se desea es que cualesquier configuracion que el usuario realize en la tarjeta de red inalambrica para que la autenticacion sea como computadora, usuario o computadora o solo usuario, el acs siempre valide autentique la computadora y la cuenta de usuario.
Que la politica de autenticacion sea un estamente Y y no un O. Cuando el usuario configura su tarjeta de red inalambrica como usuario o computadora, el acs si ejecuta la politica de autentica para usuario y computadora porque exige al usuario validar en primer lugar la computadora.
Nuestro problema es el descrito lineas abajo Politica de Autenticacion de Computadora + Usuario, siempre el ACS debe pedir el prompt de autenticacion para usuario, asi el atributo sea de solo computadora del lado del cliente.
Saludos.
Ivan
09-30-2013 04:51 PM
Could you please post the same thing in english ?
~BR
Jatin Katyal
**Do rate helpful posts**
09-30-2013 09:41 PM
Hi Jatin, the post in english
Jatin Hi good day, to match the detail of the problem as I detail in Spanish.
The problem is as follows:
The user configure his wireless network card to use computer-only authentication.
When the user does this, the computer sends the domain credential laptop, and look at the call station acs id domain computer, looking at its external database which is the Active Directory, and since this is the same as domain object, it authenticates the wireless network.
But the acs at any time ask for user authentication, or user authentication prompt because the computer already authenticate and authorize as domain object.
What is desired is that any settings that the user Realize the wireless network card for the authentication either as computer user or single-user computer, provided validate acs authenticate the computer and user account.
Let be an authentication policy and not a estamente And O. When the user configures your wireless network card as a user or computer, acs policy by running the user authenticates to computer because it requires the user to validate the computer first.
Our problem is the lines described below Computer Policy + User Authentication, ACS always should ask for user authentication prompt, so the attribute is the only client-side computer.
Greetings.
Ivan
Jatin Hi good day, to match the detail of the problem as I detail in Spanish.
The problem is as follows:
You configure your wireless network card to use computer-only authentication.
When the user does this, the computer sends the domain credential laptop, and look at the call station acs id domain computer, looking at its external database which is the Active Directory, and since this is the same as domain object, it authenticates the wireless network.
But the acs at any time ask for user authentication, or user authentication prompt because the computer already authenticate and authorize as domain object.
What is desired is that any settings that the user Realize the wireless network card for the authentication either as computer user or single-user computer, provided validate acs authenticate the computer and user account.
Let be an authentication policy and not a estamente And O. When the user configures your wireless network card as a user or computer, acs policy by running the user authenticates to computer because it requires the user to validate the computer first.
Our problem is the lines described abive Computer Policy + User Authentication, ACS always should ask for user authentication prompt, so the attribute is the only client-side computer.
Greetings.
Ivan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide