Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14455
Views
4
Helpful
49
Replies

PEAP User + Machine Authentication

sreejith_r
Level 1
Level 1

‎01-03-2012 06:18 AM - edited ‎07-03-2021 09:19 PM

Hi ;

   I tried PEAP machine and user authentication together with acs 5.3.  But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.

Is there any way to enforce both authentications.

Best Regards

Sreejith R

Labels:
0 Helpful
49 Replies 49

Scott Fella
Hall of Fame
Hall of Fame

‎01-03-2012 06:22 AM

Are you using windows 7... if so, you can, but I know that windows xp only can do user.  Also this depends on how you setup your policy in ACS 5.3.  Post some screen shots so we can take a look.

-Scott
*** Please rate helpful posts ***
0 Helpful

sreejith_r
Level 1
Level 1
In response to Scott Fella

‎01-03-2012 06:29 AM

I am trying with windows 7. There are three options

1. User or Compuer Authentication: Its working as expected. I can see the both successful authentication in the Logs.

2. User Authentication : Its working as expected. Because of the was machine authenticated attribute the authentications fails.

3. Computer Authentication: Once the computer passed the authentication the client successfully connecting to wireless without the username and password.

i did the following steps

1. Enable machine authentication

2. Enabled MAR with 1 hour

3. Added the computer and user grups in the ACS

4. Added the protocol, External groups & Was machine authenticated in the authorization list.

Please let me know if any changes has to be done or is this the way the machine authentication works.

Best Regards

Sreejith R

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to sreejith_r

‎01-03-2012 06:33 AM

On the client side you need to choose:

1. User or Compuer Authentication

Now can you post a screen shot of your failed attemps in ACS.

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-03-2012 06:26 AM

Can you also post screen shots of the failed attempts using the username also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

sreejith_r
Level 1
Level 1
In response to Scott Fella

‎01-03-2012 06:36 AM

This is a customer requirement. We cannot force the client to use only user or computer authentication.  The client may try with usre authentication, Computer autnetication & User or compuer authentication.

We need to configure ACS in such a way that only the user or computer authentication will work out.

Sorry, i dont have the screenshots with me.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to sreejith_r

‎01-03-2012 06:38 AM

I know it works, because I have done that in the past. It must be hwo the policy is configured on ACS.

-Scott
*** Please rate helpful posts ***
0 Helpful

sreejith_r
Level 1
Level 1
In response to Scott Fella

‎01-03-2012 06:41 AM

i didnt see any option in the policy. Could you please share the information on how we need to configure the policy to enforce both the authentications.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to sreejith_r

‎01-03-2012 06:43 AM

I will try to dig something up, but being able to see the failed logs helps since there are various ways to setup policies.

-Scott
*** Please rate helpful posts ***
0 Helpful

sreejith_r
Level 1
Level 1
In response to Scott Fella

‎01-03-2012 06:49 AM

I will also try to get the logs by tomorrow.

But if you are selecting the computer authentication in the client side you will not see any failed logs in the ACS.

If you are selecting the user authentication in the client side, in the failed logs you will see that the machine was not authenticated.

If you are selecting the user or computer authentication in the client side, then also you will not see any failed logs.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to sreejith_r

‎01-03-2012 06:55 AM

But if you are selecting the computer authentication in the client side you will not see any failed logs in the ACS.

That is because the policy configured in ACS right now is only working for machine authentication

If you are selecting the user authentication in the client side, in the failed logs you will see that the machine was not authenticated.

This is because the user authentication part is failing or not configured correctly.

If you are selecting the user or computer authentication in the client side, then also you will not see any failed logs.

This is because of the "OR" on the client side.  You specify to send both user and machine, but your policy is only looking for machine not user.

-Scott
*** Please rate helpful posts ***
0 Helpful

sreejith_r
Level 1
Level 1
In response to Scott Fella

‎01-03-2012 07:06 AM

No the user authentication is failing beacuse of the was machine authenticated attribute in the policy. If the client is selecting only the user authentication acs will block the access beacuse of the was machine authenticated attribute. If are removing that attribute it will work for user authentication as well.

If we are selecting user or computer authentication , both authentication works. We can see the logs in the acs that both user and machine authentication passed.

What is happening is that  since machine authentication happens prior to the user authentication, once the machineauthentication passed acs grants access to the clients without checking any other rules. How we can override this.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to sreejith_r

‎01-03-2012 07:13 AM

Have you tried using AD1:ExternalGroups: "contains all" in your authorization policy and listed specfic AD group and included the computer group.

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎01-03-2012 07:23 PM

Okay.... I decided to lab this up and here is how to set this up.  After you have set this up, make sure you reboot the client device (Windows 7) so that ACS knows that this device has authenticated using machine authentication.  These policies are customizable, so here is the basic that you have to do. 

Also note, when you first connect, you will see the machine and user being authenticated, then if you disconnect and reconnect, you will only see the username come through, because it is cached due to the Aging Time you will set in ACS.

Attached is a PDF so hopefully this helps.

-Scott
*** Please rate helpful posts ***
Preview file
129 KB
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎01-04-2012 02:46 PM

Let me know if the doc doesn't help.

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card