Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
3
Replies

PEAP with MSCHAPv2 and machine level authentication

mabouchard
Level 1
Level 1

‎11-13-2006 08:27 PM - edited ‎07-03-2021 01:13 PM

Our Wireless is currently in a LEAP environement where we are protected or exposed based on our AD user accounts. I would like to migrate our environemnt to PEAP with MSCHAPv2 using machine level authentication to allow for login scripts and group policy processing and in theory better security. We currently have Cisco 1200 AP's running IOS(version c1200-k9w7-tar.123-8.JA2), Cisco Secure ACS 3.3.3 and Windows 2003 AD. All of the clients are XP based SP2 and later. I have configured all of the components including the Automatic Certificate Request and Computer Wireless settings with group policy and all works fine. The problem that I am having is that I wanted to verify that I had the ability to disable a clients ability to connect to the network based on it being in a wirless security AD group. If the computer is removed from the AD group which was previously allowing machine athentication then ACS reports that the machine failed to authenticate but I am still able to go to the PC and login, obtain an IP address and get on the network. When the machine is not in this AD group it maps to a group with no privledges in ACS. I have machine level restrictions enabled and have changed the aging timer to 1 hour. I have also changed the " Group map for successful user authentication without machine authentication to "NO ACCESS" but is still lets me authenticate and connect. Now that I have changed the aging timer from 12 to 1 hour after waiting 30-45 minutes it will eventually cause the user to fail authentication with "External DB user access denied (Machine Access Restriction. Is there a way for this to happen instantly(or within a minute or two) when a computer is moved from the appropriate AD security group? Also this is not a domain sycing issue as I have manually foced replication many times in testing. This is driving me crazy after about 8 hours... Any help appreciated.

Labels:
0 Helpful
3 Replies 3

frankzehrer
Level 4
Level 4

‎11-13-2006 11:26 PM

Hi Michael,

did you try a "gpupdate /force" on the DC after moving the client?Maybe a look in this document gives you the right hint.

Protected EAP (PEAP) Application Note

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_technical_reference_chapter09186a008025d6ee.html

Best regards,

Frank

0 Helpful

andrew.brazier
Level 4
Level 4

‎11-14-2006 08:25 AM

Machine group membership changes in AD only take effect immediately if you reboot the machine in question. GPUPDATE/FORCE won't do it.

0 Helpful

mabouchard
Level 1
Level 1
In response to andrew.brazier

‎11-14-2006 11:57 AM

When you say that the group membership does not take effect are you talking about on the domain or on the client? Rebooting the client does not seem to matter. Even if I reboot the client after it is removed from the AD group with wireless permissions it let's the PC on the LAN. Again even though the ACS logs say that the machine auth failed. If I wait 30-45 minutes and then reboot ACS properly says that the user auth failed due to Machine Access Restriction. I would expect this change to be immediate other than the syncing of the domain. I have read that there is a machine auth cache in ACS. Is there any way to clear this?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card