Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.2 Windows wifi auth using MAR + peap + eap-tls

OK I have seen  more than a few questions out there with WIFI credential authentication methods and things people are doing but of course my challenge is unique (to me). I along with everyone else want to omit non domain computers from my organization's wireless. I have been playing with the EAP-TLS methods as well as the MAR setting. Right now I am successful at authenticating username passowrd + user certificate for authorization to my wireless lans. I also can set a group up and authenticate successfully with a machine cert using MAR and forcing the windows supplicant to auth the machine against my wifi. I cannot though combine the two. I actually dont know if it is even possible so thats why I am here posting this question.

Question: Is there a way I can use both peap for username password AND MAR eap+tls  for authenticating my clients to our wifi? If so the benefit would be my users would not have to download a user cert and the built in domain cert could be checked against for the machine authentication.

When selecting the "user or computer authentication" it seems the windows supplicant is only passing the user authentication and not the machine.

Is there a solution for windows clients in order to authenticate with username password then also check the machine as well?

Thanks for any feedback you can provide,

New Member

Re: ACS 4.2 Windows wifi auth using MAR + peap + eap-tls

I am wanting to do the exact same thing!  If I use PEAP, then a user could just configure it on a non authorized device.  Not something I want.  Then, if I use EAP-TLS and use machine certificates, if the machine is stolen, the user has access to my network.   Not something I want.  I would like to combine the two, if possbile as well.

A work around would be to use mac authentiation in substitution for EAP-TLS machine authentication, but not sure I want to do that either.  The other problem is depending on how the user sets up their wireless, if they have it remember the PEAP, password, then they cause problems when they are required to change their password and the PEAP settings remember the old password.

New Member

Re: ACS 4.2 Windows wifi auth using MAR + peap + eap-tls

Well first off I appreciate you being able to reply my post. I thought there would be an answer right away but I guessings can sit in te forums waiting for an answer a while. I have since changed gears and am going to look at securing the wifi access by user cert instead. I have successfully secured access using a user cert by eap-tls but the weak point was that the user cert was able to be extracted and moved to a non corporate machine.

My avenue of attack now is that I will be investigating ways to secure the user certificate. Correct me if I am wrong but the user cert can possibly be installed to a computer with non exportable keys. This means you cannot extract it and place into another computer without losing the authenticity and thus the cert would be no good in another ocmputer. Soooo I intend on playing a little bit of politcs with our pc/server group and giving them the responsibility of creating and distributing a secure user cert to each corporate machine. This way eap-tls will qualify "dual factor" authentiction with username password as well as the user cert. I would like to get the MAR going but it seems the burden of the client supplicant not working crrectly is not under my control. I think it may be easier to get the user cert secured and distributed correctly without risk than going any other way. Also mac authentication would be cool but can that be combined with usename password to active directory for authentication? If not then your in the same boat as MAR with machine  cert whereas a machine can be on your network no matter whos behind the wheel.

I hope we can get a few others involved as this very importnt to me. I cannot believe there arenot many others that are interested in this. Either I have it wrong or nobody out there is going that far for authentication. I think although this is for wifi I intend to roll out whtever solution to my ethernet ports later on as well.

Thanks gain for your input, I appreciate knowing theres others out there with the same challenges in this area....



Re: ACS 4.2 Windows wifi auth using MAR + peap + eap-tls

If I understand it correctly, what you want to achieve is to use both user auth and machine auth for the client? If that's the case, you can use PEAP/MSCHAPv2+Machine auth. For how to configure it, you can refer: