Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Can users authen PEAP only after they login Windows domain?

Hi All,

My customer's environment is using WLAN Controller and some Cisco APs with ACS 3.3 using PEAP MSCHAPV2. They prefer to only allow the clients whose PC has logged in Windows Domain using Domain Account to associate the "PEAP enable" SSID.

At present, they are using Windows Zero Wireless Configuration to define SSID profile and this "PEAP enable" SSID does not validate server certificate. Now when the user create the SSID profile in his Windows XP and that user is logging to this Windows XP using local computer account, the Windows Zero Wireless Configuration still prompts the user to enter domain credential. And, then after user enter their account information, he will successfully associate to the SSID. But this is what the cusomter concerning because the User can bring their owned computer to easily associate to the company's network. But as I know, the PEAP should surely prompt us to enter credential.

So do there have any method which can force that user's PC cannot associate the SSID while the user is using local computer account to login Windows XP?

Any one can help me? Thank you very much!!!

Jason,

Thanks

6 REPLIES

Re: Can users authen PEAP only after they login Windows domain?

Let me give this a shot...

Your client is concerned that users may bring in their own personal laptops and use it to gain access to the wireless network? Is this correct?

A tip: You can automatically pass the logged in credentials and not prompt the user. Go into the properties of the SSID in question, click on authentication then hit properties.. Lower right corner if your using 'secured password( EAP-MSCHAP v2 ), hit configure. and hit the check box for automatically use my windows login and password.

Back to the problem.. By using MAC filtering you can limit the PCs which are permited to connect to the wireless network. The use of a wireless IDS will permit you, when properly deployed to locate rogue devices in your environment. Note however that this can be a bit of work depending on the environment, as you need to compile the list of stations which are permitted.

MAC addresses can be spoofed so its not a fail safe, however your IDS will detect this.

Community Member

Re: Can users authen PEAP only after they login Windows domain?

Hi Robert,

Very thanks for your reply!

Yes, my customer is concerning that users may bring in their own personal laptops and then gain access to the network.

With regard to your tips, that also is not secure because user can deselect the check box if he has the right to manage his own laptop.

And I think the MAC filtering is a good solution for this case. But I would like to ask you can Mac Filtering work with 802.1X on my WLC2000 and WLC4400 with ACS server?

And is there any other solution for this? For example, can some settings on ACS also solve this security problem?

Very thanks!

Jason

Cisco Employee

Re: Can users authen PEAP only after they login Windows domain?

If anyone has security concerns with MAC filtering (spoofing possibility), ACS also has the Machine Access Restriction feature. With this, you can couple the notion of machine-auth and user-auth. An oterhwise valid auth attempt can be denied for a user if not preceeded with machine-auth. Other than that, machine-auth and user-auth don't have anything to really do with one another. This can give you protection against user bringing in their own machines as well. And a reminder, the use of TLS could address this by brute force as well.

Hope this helps,

Community Member

Re: Can users authen PEAP only after they login Windows domain?

Hi Jafrazie,

Thanks for your reply!

But how can I couple the machine authentication and user authentication together for valid user association to the network? In my customer environment, the ACS is set to allow machine authentication which the machine is in their Windows Domain so that the user can successfully login to Windows when there is no user's credential cached in that Windows Computer and when no cable connection to network for that computer.

And as I know, the user-auth and machine-auth is independence with one another. So how to couple them on ACS? Hope you could help me for this! Thank you very much!

Jason

Cisco Employee

Re: Can users authen PEAP only after they login Windows domain?

You can couple the machine authentication and user authentication together for valid user association to the network with ACS.

This should get you squared away:

<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e99e.html#wp354105>

Hope this helps,

Community Member

Re: Can users authen PEAP only after they login Windows domain?

Hi All,

I have enabled Machine Access Restriction on my customer's ACS server and now unauthorized laptops cannot associate to the network without first time machine authentication.

Thanks all!

Jason

286
Views
0
Helpful
6
Replies
CreatePlease to create content