We have a customer using an ACS SE 4.0 with a bought SSL cert from Geotrust installed authenticating to AD using PEAP security. We've found that a user can still authenticate using their domain credentials from a non-domain PC. Not good.
We've found the Machine Access Control function in ACS which blocks users with legitimate credentials from authenticating using a rogue PC, so far so good. This checks the AD domain for machine accounts and no machine account = no access. BUT the customer has a number of machines that are not part of the AD domain (MACs and Linux) so they get blocked too.
My question is what other means are there of controlling this? The customer has many small sites and as it stands although PEAP is implemented and working there's nothing to stop an employee bringing in their own laptop and using their domain credentials to get authenticated to the WLAN.
I would suggest you to give a certificate to every computer and use EAP-TLS instead of PEAP. If you mark the certificate as not exportable, it will not be possible to use it on another computer.
Deploying certificates on windows computers that are part of AD can be done very easily through GPO. It has to be done manually for linux and mac but if there are only a few of them, it's not a big problem.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...