Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Require Machine Authentication with WLC and ACS v4.2

I am currently authenticating wireless clients using PEAP User Authentication through a Cisco Wireless LAN Controller and Cisco ACS 4.2, which points to a Microsoft Active Directory external database. This does not keep users from configuring thier personal devices with thier Active Directory login information and connecting to the corporate wireless network. I can setup a client to use a certificate, machine authentication and user authentication, but I havent been able to REQUIRE the certificate and or machine authentication to authenticate to my wireless network.

>I now have the Windows External Database Configuration, ACS External Database setup with Enable PEAP Machine Authentication and Enable machine access restrictions. With the client configuration set to use Computer Authentication, it passes the authentication through ACS (and AD), but the client can also be configured for User Authentication and also pass authenticaiton. Is there a way to only require Computer Authentication through a Cisco WLC\Cisco ACS?

7 REPLIES
Hall of Fame Super Silver

Re: Require Machine Authentication with WLC and ACS v4.2

Wen you setup your policy, make sure that you only authenticate the computer group and not the user group they are in. The issue might also be that you choose your whole domain an not a particular group.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Require Machine Authentication with WLC and ACS v4.2

With ACS, I am only seeing Access, Session and Password policys, which relate with access to ACS. With ACS 5x, there are alot of policy bases rules, but I am running 4.2. Is this policy set on the WLC or ACS?

Hall of Fame Super Silver

Re: Require Machine Authentication with WLC and ACS v4.2

In the windows database you should have the computer group added.  5.x does have more policies, but 5.x does it different than 4.x.  In 4.x you have to setup MARs.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354066

-Scott
*** Please rate helpful posts ***
New Member

Re: Require Machine Authentication with WLC and ACS v4.2

Okay, so I do have the whole domain added in the list, but we are also using ACS for VPN remote access authentication by username.

Hall of Fame Super Silver

Require Machine Authentication with WLC and ACS v4.2

That is where is gets tricky and it doesn't matter if your using ACS 4.x or 5.x.  You now have to start creating specific 'policies' in order for current poicies or other policies not to break.  You would have to add the whole domain and then every AD group you would like to match against.

-Scott
*** Please rate helpful posts ***
New Member

Require Machine Authentication with WLC and ACS v4.2

So to require machine authentication, it sounds like in my scenario the only way to do this is by configuring policys on ACS. This information is very helpful. Thank You!

Hall of Fame Super Silver

Re: Require Machine Authentication with WLC and ACS v4.2

Yes... You are correct regarding creating polices.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
1496
Views
5
Helpful
7
Replies
CreatePlease to create content