beautypg.com

Cisco 3.3 User Manual

Page 502

background image

Chapter 13 User Databases

Windows User Database

13-18

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Cisco Secure ACS supports both EAP-TLS and PEAP(EAP-MSCHAPv2) for
machine authentication. You can enable each separately on the Windows User
Database Configuration page, which allows a mix of computers authenticating
with EAP-TLS or with PEAP(EAP-MSCHAPv2). Microsoft operating systems
that perform machine authentication may limit the user authentication protocol to
the same protocol used for machine authentication. For more information about
Microsoft operating systems and machine authentication, see

Microsoft Windows

and Machine Authentication, page 13-20

.

The Unknown User Policy supports machine authentication. Computers
previously unknown to Cisco Secure ACS are handled similarly to users. If the
Unknown User Policy is enabled and an Active Directory external user database
is included on the Selected Databases list on the Configure Unknown User Policy
page, machine authentication succeeds, provided that the machine credentials
presented to Active Directory are valid.

On a computer configured to perform machine authentication, machine
authentication occurs when the computer started. Provided that the AAA client
sends RADIUS accounting data to Cisco Secure ACS, when a computer is started
and before a user logs in on that computer, the computer appears on the Logged-In
Users List in the Reports and Activity section. Once user authentication begins,
the computer no longer appears on the Logged-In Users List.

PEAP-based machine authentication uses PEAP(EAP-MSCHAPv2) and the
password for the computer established automatically when it was added to the
Microsoft Windows domain. The computer sends its name as the username and
the format is:

host/

computer

.

domain

where computer is the name of the computer and domain is the domain the
computer belongs to. The domain segment may include subdomains, too, if they
are used, so that the format may be:

host/

computer

.

subdomain

.

domain

The usernames of computers authenticated must appear in the CiscoSecure user
database. If you enable unknown user processing, Cisco Secure ACS adds them
automatically once they authenticate successfully. During authentication, the
domain name is not used.

EAP-TLS-based machine authentication uses EAP-TLS to authenticate the
computer using a client certificate. The certificate used by the computer can be
one installed automatically when the computer was added to the domain or one