Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
6
Replies

Can users authen PEAP only after they login Windows domain?

netcraftjason
Level 1
Level 1

‎01-25-2007 01:12 AM - edited ‎07-03-2021 01:31 PM

Hi All,

My customer's environment is using WLAN Controller and some Cisco APs with ACS 3.3 using PEAP MSCHAPV2. They prefer to only allow the clients whose PC has logged in Windows Domain using Domain Account to associate the "PEAP enable" SSID.

At present, they are using Windows Zero Wireless Configuration to define SSID profile and this "PEAP enable" SSID does not validate server certificate. Now when the user create the SSID profile in his Windows XP and that user is logging to this Windows XP using local computer account, the Windows Zero Wireless Configuration still prompts the user to enter domain credential. And, then after user enter their account information, he will successfully associate to the SSID. But this is what the cusomter concerning because the User can bring their owned computer to easily associate to the company's network. But as I know, the PEAP should surely prompt us to enter credential.

So do there have any method which can force that user's PC cannot associate the SSID while the user is using local computer account to login Windows XP?

Any one can help me? Thank you very much!!!

Jason,

Thanks

Labels:
0 Helpful
6 Replies 6

robert.wright
Level 1
Level 1

‎01-25-2007 08:41 PM

Let me give this a shot...

Your client is concerned that users may bring in their own personal laptops and use it to gain access to the wireless network? Is this correct?

A tip: You can automatically pass the logged in credentials and not prompt the user. Go into the properties of the SSID in question, click on authentication then hit properties.. Lower right corner if your using 'secured password( EAP-MSCHAP v2 ), hit configure. and hit the check box for automatically use my windows login and password.

Back to the problem.. By using MAC filtering you can limit the PCs which are permited to connect to the wireless network. The use of a wireless IDS will permit you, when properly deployed to locate rogue devices in your environment. Note however that this can be a bit of work depending on the environment, as you need to compile the list of stations which are permitted.

MAC addresses can be spoofed so its not a fail safe, however your IDS will detect this.

0 Helpful

netcraftjason
Level 1
Level 1
In response to robert.wright

‎01-25-2007 11:13 PM

Hi Robert,

Very thanks for your reply!

Yes, my customer is concerning that users may bring in their own personal laptops and then gain access to the network.

With regard to your tips, that also is not secure because user can deselect the check box if he has the right to manage his own laptop.

And I think the MAC filtering is a good solution for this case. But I would like to ask you can Mac Filtering work with 802.1X on my WLC2000 and WLC4400 with ACS server?

And is there any other solution for this? For example, can some settings on ACS also solve this security problem?

Very thanks!

Jason

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to robert.wright

‎01-26-2007 06:43 AM

If anyone has security concerns with MAC filtering (spoofing possibility), ACS also has the Machine Access Restriction feature. With this, you can couple the notion of machine-auth and user-auth. An oterhwise valid auth attempt can be denied for a user if not preceeded with machine-auth. Other than that, machine-auth and user-auth don't have anything to really do with one another. This can give you protection against user bringing in their own machines as well. And a reminder, the use of TLS could address this by brute force as well.

Hope this helps,

0 Helpful

netcraftjason
Level 1
Level 1
In response to jafrazie

‎01-27-2007 02:08 AM

Hi Jafrazie,

Thanks for your reply!

But how can I couple the machine authentication and user authentication together for valid user association to the network? In my customer environment, the ACS is set to allow machine authentication which the machine is in their Windows Domain so that the user can successfully login to Windows when there is no user's credential cached in that Windows Computer and when no cable connection to network for that computer.

And as I know, the user-auth and machine-auth is independence with one another. So how to couple them on ACS? Hope you could help me for this! Thank you very much!

Jason

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to netcraftjason

‎01-27-2007 07:52 AM

You can couple the machine authentication and user authentication together for valid user association to the network with ACS.

This should get you squared away:

<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e99e.html#wp354105>

Hope this helps,

0 Helpful

netcraftjason
Level 1
Level 1
In response to jafrazie

‎01-29-2007 06:38 PM

Hi All,

I have enabled Machine Access Restriction on my customer's ACS server and now unauthorized laptops cannot associate to the network without first time machine authentication.

Thanks all!

Jason

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card