PEAP with MSCHAPv2 and machine level authentication
Our Wireless is currently in a LEAP environement where we are protected or exposed based on our AD user accounts. I would like to migrate our environemnt to PEAP with MSCHAPv2 using machine level authentication to allow for login scripts and group policy processing and in theory better security. We currently have Cisco 1200 AP's running IOS(version c1200-k9w7-tar.123-8.JA2), Cisco Secure ACS 3.3.3 and Windows 2003 AD. All of the clients are XP based SP2 and later. I have configured all of the components including the Automatic Certificate Request and Computer Wireless settings with group policy and all works fine. The problem that I am having is that I wanted to verify that I had the ability to disable a clients ability to connect to the network based on it being in a wirless security AD group. If the computer is removed from the AD group which was previously allowing machine athentication then ACS reports that the machine failed to authenticate but I am still able to go to the PC and login, obtain an IP address and get on the network. When the machine is not in this AD group it maps to a group with no privledges in ACS. I have machine level restrictions enabled and have changed the aging timer to 1 hour. I have also changed the " Group map for successful user authentication without machine authentication to "NO ACCESS" but is still lets me authenticate and connect. Now that I have changed the aging timer from 12 to 1 hour after waiting 30-45 minutes it will eventually cause the user to fail authentication with "External DB user access denied (Machine Access Restriction. Is there a way for this to happen instantly(or within a minute or two) when a computer is moved from the appropriate AD security group? Also this is not a domain sycing issue as I have manually foced replication many times in testing. This is driving me crazy after about 8 hours... Any help appreciated.
Re: PEAP with MSCHAPv2 and machine level authentication
When you say that the group membership does not take effect are you talking about on the domain or on the client? Rebooting the client does not seem to matter. Even if I reboot the client after it is removed from the AD group with wireless permissions it let's the PC on the LAN. Again even though the ACS logs say that the machine auth failed. If I wait 30-45 minutes and then reboot ACS properly says that the user auth failed due to Machine Access Restriction. I would expect this change to be immediate other than the syncing of the domain. I have read that there is a machine auth cache in ACS. Is there any way to clear this?
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...