Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PEAP User + Machine Authentication

Hi ;

   I tried PEAP machine and user authentication together with acs 5.3.  But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.

Is there any way to enforce both authentications.

Best Regards

Sreejith R

49 REPLIES
Hall of Fame Super Silver

PEAP User + Machine Authentication

Are you using windows 7... if so, you can, but I know that windows xp only can do user.  Also this depends on how you setup your policy in ACS 5.3.  Post some screen shots so we can take a look.

-Scott
*** Please rate helpful posts ***
Community Member

PEAP User + Machine Authentication

I am trying with windows 7. There are three options

1. User or Compuer Authentication: Its working as expected. I can see the both successful authentication in the Logs.

2. User Authentication : Its working as expected. Because of the was machine authenticated attribute the authentications fails.

3. Computer Authentication: Once the computer passed the authentication the client successfully connecting to wireless without the username and password.

i did the following steps

1. Enable machine authentication

2. Enabled MAR with 1 hour

3. Added the computer and user grups in the ACS

4. Added the protocol, External groups & Was machine authenticated in the authorization list.

Please let me know if any changes has to be done or is this the way the machine authentication works.

Best Regards

Sreejith R

Hall of Fame Super Silver

PEAP User + Machine Authentication

On the client side you need to choose:

1. User or Compuer Authentication

Now can you post a screen shot of your failed attemps in ACS.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: PEAP User + Machine Authentication

Can you also post screen shots of the failed attempts using the username also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

PEAP User + Machine Authentication

This is a customer requirement. We cannot force the client to use only user or computer authentication.  The client may try with usre authentication, Computer autnetication & User or compuer authentication.

We need to configure ACS in such a way that only the user or computer authentication will work out.

Sorry, i dont have the screenshots with me.

Hall of Fame Super Silver

PEAP User + Machine Authentication

I know it works, because I have done that in the past. It must be hwo the policy is configured on ACS.

-Scott
*** Please rate helpful posts ***
Community Member

PEAP User + Machine Authentication

i didnt see any option in the policy. Could you please share the information on how we need to configure the policy to enforce both the authentications.

Hall of Fame Super Silver

PEAP User + Machine Authentication

I will try to dig something up, but being able to see the failed logs helps since there are various ways to setup policies.

-Scott
*** Please rate helpful posts ***
Community Member

PEAP User + Machine Authentication

I will also try to get the logs by tomorrow.

But if you are selecting the computer authentication in the client side you will not see any failed logs in the ACS.

If you are selecting the user authentication in the client side, in the failed logs you will see that the machine was not authenticated.

If you are selecting the user or computer authentication in the client side, then also you will not see any failed logs.

Hall of Fame Super Silver

PEAP User + Machine Authentication

But if you are selecting the computer authentication in the client side you will not see any failed logs in the ACS.

That is because the policy configured in ACS right now is only working for machine authentication

If you are selecting the user authentication in the client side, in the failed logs you will see that the machine was not authenticated.

This is because the user authentication part is failing or not configured correctly.

If you are selecting the user or computer authentication in the client side, then also you will not see any failed logs.

This is because of the "OR" on the client side.  You specify to send both user and machine, but your policy is only looking for machine not user.

-Scott
*** Please rate helpful posts ***
Community Member

PEAP User + Machine Authentication

No the user authentication is failing beacuse of the was machine authenticated attribute in the policy. If the client is selecting only the user authentication acs will block the access beacuse of the was machine authenticated attribute. If are removing that attribute it will work for user authentication as well.

If we are selecting user or computer authentication , both authentication works. We can see the logs in the acs that both user and machine authentication passed.

What is happening is that  since machine authentication happens prior to the user authentication, once the machineauthentication passed acs grants access to the clients without checking any other rules. How we can override this.

Hall of Fame Super Silver

Re: PEAP User + Machine Authentication

Have you tried using AD1:ExternalGroups: "contains all" in your authorization policy and listed specfic AD group and included the computer group.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: PEAP User + Machine Authentication

Okay.... I decided to lab this up and here is how to set this up.  After you have set this up, make sure you reboot the client device (Windows 7) so that ACS knows that this device has authenticated using machine authentication.  These policies are customizable, so here is the basic that you have to do. 

Also note, when you first connect, you will see the machine and user being authenticated, then if you disconnect and reconnect, you will only see the username come through, because it is cached due to the Aging Time you will set in ACS.

Attached is a PDF so hopefully this helps.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

PEAP User + Machine Authentication

Let me know if the doc doesn't help.

-Scott
*** Please rate helpful posts ***
11901
Views
4
Helpful
49
Replies
CreatePlease to create content