fid500fid500 Member Posts: 71 ■■□□□□□□□□

I am in the process of implementing 802.1x using a Cisco switch and windows 2003 with IAS and Radius. I am using PEAP for authentication. In my test environment users from active directory can authenticate fine. I want to add an option where the PC, not just the user, MUST be a member of the domain for authentication to succeed. We dont want users brining their laptops and connecting them to the network.
Is there a way to enable this option?
Thank you


  • APAAPA Member Posts: 959
    PEAP requires only a server cert for the building of the tunnel through which MS-CHAPv2 or CHAP etc is passed through... Hence why any machine can plug in as long as they have the server cert in there trusted certs........

    But this begs the question... How are they authenticating userwise with their laptops when the laptop isn't part of the domain in the first place..... 802.1x won't successfully authentication...Will always be in unauthorized state trying to send the EAPoL frames.....??? Unless a pop-up appears which lets them type in credentials??? Also how are they getting the server cert on their laptop??? (Not sure as I haven't tried it with a computer not part of my lab-domain at home)......

    EAP-TLS requires two certs (server side and client side) - I believe this is the method of authentication that you would want to implement if you want the machine to be authenticated as well......

    Hope this helps :D

    CCNA | CCNA:Security | CCNP | CCIP
  • redwarriorredwarrior Member Posts: 285
    We're considering doing something similar for both wired and wireless users using Cisco NAC (the appliance formerly known as Clean Access). We already have NAC configured to require users to authenticate to the AD domain before they can access the network, but apparently we can also make sure that their computer is a company computer by either burying a file on their hard drive or even a registry setting. We already make sure they meet minimum windows updates settings as well as antivirus definitions that are no older than 1 week.

    I'm not sure how you would do this otherwise and NAC is expensive to implement, so unless you're really planning on locking things down in other ways for your wired network, it probably isn't worth the cost just to tighten down wireless. The other obvious method, MAC identification, would quickly get unwieldy with large numbers of client MAC addresses to enter.

    CCNP Progress


    BSCI - In Progress

    http://www.redwarriornet.com/ <--My Cisco Blog
  • fid500fid500 Member Posts: 71 ■■□□□□□□□□
    I know you can authenticate machines and users using EAP-TLS and issuing a certificate to each device, however XP doesnt support this option for wired network.
Sign In or Register to comment.