Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Only allow domain computers to connect to WLAN

I am going in circles here.  First off, I apologize for posting this question if it has been covered in the past (if you have another thread to suggest, I invite you to point me to it!)  I have done quite a bit of searching on several forums and articles and support sites.  But I am missing something.

I am working with HP Procurve 420 wireless access points (they purchased these before I started.)   I have setup Cisco Secure ACS 4.2 for windows.  I have configured external database group mappings to active directory and dynamic vlan assignement per group.  I setup the ACS certificate, and the certificate authority is our own ca server on our network.  Users can successfully authenticate and connect to the appropriate vlan right now.  This is where I am stumped.  I only want our computers to be able to connect.

1. How/What/Where do I go from here if I only want to allow computers on our domain to connect to the enterprise wireless connection?   Do I setup some sort of other certificate that gets distributed by GPO or something?  And/or is there something in ACS that I can change?

2. What is the ACS certificate I already have installed on the ACS server doing?  Is it encrypting the authentication process that takes place when a user is establishing a connection?

3. How have you guys done this on your own networks?  Am I going about this the wrong way? What do you suggest?

The end goal is that I want a user with a company laptop to be able to connect to the wireless network, and authenticate and be placed in the appropriate vlan (which is working now,) but I don't want them to be able to do this with just any device, I want to some how manage and restrict which computers can connect.  Please Help!!!!

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Only allow domain computers to connect to WLAN

1 - I think you can use the group mapping (see page 603 of the ACS 4.2 user guide) to utilize the domain computers group.  Deny access to any other group (via the No Access Group)


2 - At the begininng of each EAP conversation, the ACS server will offer the certificate as proof of who it is.  If the client trusts the cert, then the client will continue with the authenticatin process.  This is how you help ensure that your clients only connect to your network.  If you configure the clients to ignore the cert, and someone else pops up a network with your SSID, your clients might try to connect.

3 -  Lots of companies complain about not being able to contol which devices connect to their network.  This is one way to do that.  By just using PEAP with user accounts, any iPhone/iPad/personal laptop/whatever can connect to your wireless network if the user knows how to set it up.

If you move forward with this, please post back and let us know how it works out.

Gold

Re: Only allow domain computers to connect to WLAN

If you have ACS why don't you just use MAR (machine access restrictions)?  If the user doesn't pass machine authentication the ACS won't pass his user authentication.

11 REPLIES

Re: Only allow domain computers to connect to WLAN

1 - I think you can use the group mapping (see page 603 of the ACS 4.2 user guide) to utilize the domain computers group.  Deny access to any other group (via the No Access Group)


2 - At the begininng of each EAP conversation, the ACS server will offer the certificate as proof of who it is.  If the client trusts the cert, then the client will continue with the authenticatin process.  This is how you help ensure that your clients only connect to your network.  If you configure the clients to ignore the cert, and someone else pops up a network with your SSID, your clients might try to connect.

3 -  Lots of companies complain about not being able to contol which devices connect to their network.  This is one way to do that.  By just using PEAP with user accounts, any iPhone/iPad/personal laptop/whatever can connect to your wireless network if the user knows how to set it up.

If you move forward with this, please post back and let us know how it works out.

Gold

Re: Only allow domain computers to connect to WLAN

If you have ACS why don't you just use MAR (machine access restrictions)?  If the user doesn't pass machine authentication the ACS won't pass his user authentication.

Community Member

Re: Only allow domain computers to connect to WLAN

OK, after plenty of reading I finally have my head wrapped around PEAP, and although I was doing it without really understanding it, it appears I have that portion all configured correctly.  I already have the certificate configured with our own CA.  I have groups mapped to my windows domain groups which authenticates the user and assignes them to their vlan.  All of that is working great.

Now I'm trying to figure out now to make Machine Access Restriction to work and I must be missing something.

1. I've mapped an ACS group to my windows domain group "domain.com\domain computers."

2. Under the windows database configuration I have enabled the Machine Access Restriction check box, and left the "Group map for successful user authentication without machine authentication:" option to "No Access."  This is to satisfy my requirement that only domain computers will be able to connect regardless of the user authentication.  BUT, this is preventing any connection at all, and I've tested with a windows xp laptop and configured PEAP and computer authentication and it was connecting fine before I enabled MAR.  AS SOON as I uncheck the Machine Access Restriction check mark under windows database configuration I'm then able to connect again.  ....  this laptop is a member of the "domain.com\domain computers"  But it does not show up in the ACS group as a dynamic user.

So I'm trying to figure out what I'm missing to get the machine to authenticate, simply mapping the group did not work.

EDIT:

Looks like I need to confirm that machine authentication is permiited in Active Directory first.  Looking there now...

Community Member

Re: Only allow domain computers to connect to WLAN

Yes you should be issuing certificates through Group Policy. The domain machines you specify will then have the appropriate certificate for 802.1x authentication. You should also create a wireless GPO and specify the appropriate settings (WPA-TKIP and 802.1x for authentication). You must also specify the Root Cerificatation Authority within the Wireless GPO and push this policy to the same machines you applied the certificate GPO to. You may also choose not to broadcast the SSID, this at least restricts users from browsing for your WLAN.

Hope this helps!

Community Member

Re: Only allow domain computers to connect to WLAN

Steps I would take:

1. Create the Cert Authority

2. Create the Certificate Autoenrollment Group Policy

3. Download and install the newly created certificate to the ACS local certificate storage.

4. Bind ACS to Active Directory (be sure you have a domian admin user set to logon as service on the cert server,as well as the ACS remote agent installed)

5.Create the Wireless GPO

- Name

- Any available network

- Use windows to configure wireless network settings for clients

Preferred Netwrks

- add

- SSID

- WPA, TKIP

IEEE 802.1x:

- Protected EAP

- Validate Server Certificate

- Trusted Root Certification Authority

- Do not prompt users......

- Secured password (EAP-MSCHAPv2)

- configure - Automatically use my windows logon name and password (and domain if any)

Community Member

Re: Only allow domain computers to connect to WLAN

Thank you all for the input. I'm currently reading up and studying the methods each of you have described. This endeavor is illustrating my lack of understanding of the various things you can do with ACS.

I will post an update as I progress.

Jszapipes, thanks for the input and the link. This will help big time.

Thanks,

PW

Community Member

Re: Only allow domain computers to connect to WLAN

Community Member

Re: Only allow domain computers to connect to WLAN

How do your machines get their certificates? Can you verify your CA has issued certificates to the machines you've specified? It seems that the machines are not getting certificates and as result will not be granted access when "Group map for successful user authentication without machine authentication:" is set to "No Access."  

Community Member

Re: Only allow domain computers to connect to WLAN

Jszapipes,

All of the domain computers have the CA in their "trusted root certification authorities" list and under the PEAP settings it is checked to validate the server certificate, with our CA checked. Is this what you're referring to?

For the matter of testing, I have also installed the ACS server certificate (issued by our CA that I was talking about above) manually to a laptop that I am testing with. I checked it under the "validate the server certificate." But from my reading I did not think this was a requirement. Also, I still get the same error.

When I have MAR enabled, below is the error that is showing up in ACS under the failed authentications report:

"Authentication Failure Code: Windows External DB user access was denied due to a Machine Access Restriction"

Thanks,

PW

Community Member

Re: Only allow domain computers to connect to WLAN

OK making some progress, but still stuck on Machine Authentication Restriction.

One problem I was having was that I did not have the Dial In tab in Active Directory, so once I learned of the work around I was able to access those options for the computer accounts and "Allow" the remote access for machine authentication.

So, with that said, now when I connect to the wlan, I see in the "Passed Authentications" report on ACS that the computer account authenticates, the computer is then added to the group on ACS as a dynamic user (ie. Host/computername.domainname.com) and then the user authentication is completed and the computer is put in the correct vlan with the correct IP address/subnet.   So, unless I'm not understanding this correctly, this indicates machine authentication is working correctly, right?

Now: As soon as I change the windows database configuration and check the option to "Enable Machine Access Restrictions," then click the submit button, I see "Submitting the configuration changes removes the dynamic users linked to the database."

Now the ACS group that is mapped to the domain computers group is empty.  I try to authenticate to the WLAN and authentication fails.  In the Failed Attempts report on ACS I see: "Windows External DB user access was denied due to a Machine Access Restriction"

I've looked at the unknown user policy but that just asks you to point to another database.  It does not seem to look at the windows user database for the group mapping.....   Any thoughts?

Community Member

Re: Only allow domain computers to connect to WLAN

I have ranked each person on here with five stars for the input that lead me to the solution that worked for my environment.

Thank you all.  I am marking this as the answer to the solution because it contains the information in one post.

Please see the attached illustration of what is working for me.

I apologize for grammer or lack of proper flow chart symbols.  I drew this as kind of a "thousand foot view" of the setup to illustrate to my manager how this would work.  And right now it is working great!!!  There are many details that could be listed for each different variable, and for each different environment, so please read this as a general over view.

Again,  THANK YOU for the support.

7419
Views
20
Helpful
11
Replies
CreatePlease to create content