802.1X wirelss restriction on user authentication

Hi,
In the 802.1x wireless environment, I would like to know is there any method to control single user credential only able to be autheticated for one time, at any given time.
Example: user ABC in domain XYZ.ORG authenticated via his/her desktop, this is using user authentication method.
After this he/she not able to use the same username/password trying to get authenticate neither using any another PC/tablet/smartphone devices.
The motive is to prevent user using same user credential able sign-in after he/she made the authenticaiton at first place.
Meaning to say he/she only able to authenticate to single device, at any given time. Same user credential is not allow to be use for authenticate purpose on other device.
The components as below:
supplicant: Window 7, authentication method using PEAP/MSCHAPv2; Apple iPhone iOS version 5.x, 6.x
Authenticator: Cisco Wireless Controller 5800 Series on code version 7.2
Authentication server: Cisco secure server ACS 5.3
Identity Source : Microsoft server 2008 ADDS, single forest single domain.
Question:
01. What we can configure on WLC, or ACS to enable above mention requirement
Thanks
Noel

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

Similar Messages

802.1X wirelss restriction on User Login policies

Hi all,
Seeking some technical idea on Wireless 802.1x setup.
Business requirement is:
"User login policy: to limit the number of concurrent login by a single user only apply to one device at any given time. "
There is no problem on PEAP/MSCHAPv2 login, only thing is the same user credential able to be use and login on multiple device, in the same time.
On the NAD part, we configure these on WLC but still cannot achieve our objective
- advanced eap max-login-ignore-identity-response disable
- netuser maxuserLogin 1
Seeking technical solution on this case, please advice. Is there anything need to tweak on the directory server or ACS part?
The components using as below:
Supplicant 1: Window 7, authentication method using PEAP/MSCHAPv2
Supplicant 2: iPhone iOS version 6.x
Authenticator: Cisco Wireless Controller 5800 Series on code version 7.2
Authentication server: Cisco secure server ACS 5.3.0.40
Identity Source : Microsoft server 2008 R2 ADDS, single forest single domain.
attached the network diagram: topo1.png

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

802.1x eap-tls machine + user authentication (wired)

Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
    <string>System</string>
    <string>Loginwindow</string>
</array>
<key>PayloadScope</key>
    <string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
Thanks

Unfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ?

802.1x machine vs user authentication

In the process of depolying 802.1x on wired LAN. What is the difference between machine authentication and user authentication? Thanks in advance.

OK, so assuming we're still talking the MSFT supplicant, you have some options:
1) USe EAP-TLS and mark any certs deployed to your corporate-owned assets and non-exportable. This solves the issue by brute force. You don't exactly need machine-authentication to do this. You may need machine-auth for other reasons (as I believe we've discussed here).
2) If PEAP is in use, use the machine-auth and the Machine-Access-Restriction feature in ACS. What this does is a coupling of the notions of machine-auth as a preceeding policy decision for user-auth. Example: It is technically possible that anyone with a valid NT account may be able to 802.1x-authenticate from "any" machine. But with the machine-access-restriction feature, they will only be able to do so if ACS has also authenticated a valid machine-auth session prior to the login attempt.
3) Use a NAR in ACS. A NAR is a Network Access Restriction. If for example, you have a database of all the MAC Addresses you have (or an OID wildcard) you can configure further checking of a MAC address from an otherwise valid 802.1x authentication attempt. This effectively tells ACS to only allow authentication attempts from MAC Addresses it knows about.
Hope this helps.

Problems with 802.1x MS PEAP machine and user authentication

Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
We are using MS-CHAPv2.

Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
Any idea how the domain\ can be ignored by ACS?

Anyconnect 3 NAM Profile user authentication failure

Hello,
I use Cisco Anyconnect as a supplicant for my 802.1x enabled network, we use EAP-TLS. I created a wired profile with the standalone profile manager and deployed it to my clients. Machine authentication works fine, but as soon as i log in to the device the user authentication is not working and the anyconnect falls back to an open wired network.
I don't see any logs in my ACS.
But when i create a profile on the device itself the EAP-TLS authentication works without any issues.
any ideas?
regards
alex

Hello Luke-
I have faced the same issue with MAR (Machine Access Restriction) in the past. It all worked great while we had wireless authentication only but things went out of control once we started to roll out wired
I have been working with ISE for a little bit now and I can tell you that the same issue is still present. It would be pretty nice if they can "fix" this but as of right now you would face the same exact issue. So if you want to do user+machine authentication, you have a couple of options that were recently discussed in this thread:
https://supportforums.cisco.com/message/3775027#3775027
To answer your other question:
So is there a trick to get NAM to trigger machine re-authentication without having to reboot?
Back when I had this issue I was able to "trick" the native windows client to perform machine authentication again by going to "Start Menu > Shut Down > Switch User." In the new window it is important not to click on the already logged user but to select "New/Different User." There you can still type the same credentials for the already logged user. This seemed to force the machine to pass its machine credentials again without having to reboot the machine which is till not ideal and not user friendly at all but that is all I have Also, do keep in mind that I have not tested this with the AnyConnect client so results may vary.
Thank you for rating!

Restricting Multiple Users To Only Their Specific Areas Of A Site

I think I understand the basics of user authentication and
password protection for areas of a site using PHP/MySQL, etc. Maybe
I don't however.
My question is: If I have 10 users how do I restrict each
user to only their specific pages in the site so that they can only
see their specific pages and not every protected page?
See, maybe I don't understand, but any help would be
appreciated. Thanks in advance.
Glenn Atkins

Can you password-protect individual folders, each containing
only a single
user's pages?
"GEAtkins" <[email protected]> wrote in
message
news:fj4gel$1sh$[email protected]..
>I think I understand the basics of user authentication
and password
>protection
> for areas of a site using PHP/MySQL, etc. Maybe I don't
however.
>
> My question is: If I have 10 users how do I restrict
each user to only
> their
> specific pages in the site so that they can only see
their specific pages
> and
> not every protected page?
>
> See, maybe I don't understand, but any help would be
appreciated. Thanks
> in
> advance.
>
> Glenn Atkins
>

Machine and User authentication with ISE 1.2.1

Hi ,
Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
Thanks
Pranav

is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

Trusted User Authentication

Hi,
Our solution currently offers three SSID's. One corporate SSID for trusted users (employees) with trusted (company managed) devices, one guest SSID for external guests who are not trusted and use non-trusted devices and then a third "guest" SSID that allows trusted users (employees) to connect using untrusted (personal) devices to access the Internet via a separate proxy system. The guest SSID for trusted users is the focus of this question.
We currently use a local RADIUS database on ACS 5.2 for the users, which works but requires another user account and obvious password management overhead. Given that a global employee directory exists which has its own account & password management system in place has made me consider this as an alternative to local authentication on ACS.
The external identity store is an LDAP database and I have configured network access for the ACS to query the schema.
I understand that web authentication can use LDAP as an authentication mechanism, however I would like to keep the SSID as secured using 802.1x if possible and not use an open or PSK secured solution as this would contravene current security standards.
So, can I configure the WLC to send an authentication request to the ACS via RADIUS over 802.1x and then for the ACS to forward that request on to an external identity store using LDAPS?
I am currently reveiwing the configuration document and believe I have each individual component in ACS configured but cannot see the LDAPS traffic ever leaving it to query the external identity store.
Any thoughts or comments would be appreciated....
Thanks,
Dave

Hi Dave,
That is surely possible and that is what LDAP identity store is fore.
You create the LDAP identity store and point the WLCs to use the ACS (not the LDAP server).
Now, when a wifi client tries to connect the WLC sends the request to the ACS.
At this point the request reached ACS. So, in order to proceed with quering the LDAP server for that user, you need to tell the ACS for this user that is connecting to this SSID please send the query to the LDAP server and trust what it tells you about the user authentication status.
Have you configured this piece of configuraiotn on ACS? to send the traffic to the LDAP DB?
In the Access policy you need to choose the configured LDAP identity store. Have you done that?
If you still have problems please try to provide screenshots of you config.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

Restricting what users can send mail to off-site destinations

How can i restrict what users can and can not send mail outside mi local domain ?? Without editing postfix ??
Tx

Without editing postfix? pretty much impossible.
Anything you do is going to change posftix's confguration, and you're asking for options beyond Apple's Server Admin GUI, therefore you going to have to do some under-the-hood tweaking of postfix.
(just to be pedantic, using Server Admin ultimately edits postfix's configuration files, so what's your reluctance here?)
As for your request, there are so many ways of implementing this. The 'right' option depends on more details than you've specified. For example, how are you determining which users can/cannot send outside mail? Is it a fairly static list, or does it change frequently?
The only option that comes close to not editing postfix is authentication. By default, only authenticated users can send outgoing mail, but anyone can send mail to a local address on the server, so that gives you a simple approach - have the permitted users configure their mail client with a username and password for SMTP, and have the non-permitted users leave the SMTP username/password empty.
That's hardly foolproof, though - if any 'non-permitted' user enters their username and password they automatically fall into the 'permitted' group. That may or may not be sufficient for your need.
There are other options, though, including IP address range checking, a permitted senders list, port options, and more. It's just a matter of how much you want to tweak postfix's configuration.

Dreamweaver Server Bahavior, User Authentication, Logout User Problem

Hi! I want to add a 'logout user' functionality to the PHP
page using Server Behavior, User Authentication, Logout User option
in Dreamweaver CS3.
I highlight the text, Logout, then clicked on the above
mentioned option and I get an error message:
While executing onLoad in Log Out User.htm, the following
JavaScript error(s) occurred:
At line 603 of file "C:\Program Files\Adobe\Adobe Dreamweaver
CS3\Configuration\Shared\Controls\Script\TagMenu.js": The object is
not currently contained in a document.
In the Log Out User form, the "link clicked" is blank and
"when done" is not selectable.
Can anyone help me out? Thanks!

Hi! I'm not using Javascript. I'm using PHP to log in and log
out a user. The log in implementation works fine. It's the log out
that is giving me problems.
Below is the code:
<?php
if (!isset($_SESSION)) {
session_start();
$MM_authorizedUsers = "admin";
$MM_donotCheckaccess = "false";
// *** Restrict Access To Page: Grant or deny access to this
page
function isAuthorized($strUsers, $strGroups, $UserName,
$UserGroup) {
// For security, start by assuming the visitor is NOT
authorized.
$isValid = False;
// When a visitor has logged into this site, the Session
variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that
Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only
certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
// Or, you may restrict access to only certain users based
on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
if (($strUsers == "") && false) {
$isValid = true;
return $isValid;
$MM_restrictGoTo = "denied.html";
if (!((isset($_SESSION['MM_Username'])) &&
(isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING)
> 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar .
"accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" />

<title>Admin</title>



<link href="../twoColFixLtHdr.css" rel="stylesheet"
type="text/css" />
<style type="text/css">

</style></head>
<body class="twoColFixLtHdr">
<div id="container">
<div id="header">
<h1 class="style1">Welcome to EMART</h1>
</div>

<div id="sidebar1">
<h3 class="style1">Emart</h3>
<ul type="square">
<li><a href="../index.php"
class="style1">Home</a> </li>
<li><a href="admin.php"
class="style1">Admin</a> </li>
<li><a href="add_product.php" class="style1">Add
Product</a> </li>
<li><a href="edit_product.php"
class="style1">Edit Product</a> </li>
<li><a href="delete_product.php"
class="style1">Delete Product</a> </li>
<li>Logout</li>
</ul>
<p> </p>

</div>

<div id="mainContent">
<h1>Admin</h1>
<p>
Logout</p>
<p> </p>
</div>

<br class="clearfloat" />
<div id="footer">
<p>© 2008
</p>
</div>
</div>
</body>
</html>

802.1x with machine and user auth

Q: What happens if a user passes machine authentication but fails user authentication when performing 802.1x?
A: In AOS dot1x profile, we have an option to enforce machine authentication.
When enabled, we can be in more control of the devices that have passed/failed machine/user authentication.
Once a user has passed machine authentication, by default the client will fall under the role configured in "Machine Authentication: Default Machine Role" under dot1x profile.
Below is an example which shows the client has passed only machine authentication but user authentication is not yet initiated.
(Aruba3400) #show user-table
Users
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
10.17.169.92 3c:a9:f4:7f:84:54 test guest 00:00:00 8021x-Machine 18:64:72:c6:d7:28 Wireless akhil/18:64:72:ed:72:80/g-HT akhil tunnel
There are scenarios where the clients will pass machine authentication, but for some reason will fail user authentication. In this scenario, clients will not be present in the user-table of the controller anymore.
When a client fails user authentication irrespective of passing/failing machine authentication, controller will send a deauth to the client and remove the entry from the user-table.

Hi Amjad
very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
- What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
WZC.
- what is the result when testing with user auth only?
The same, it takes such a long time.
- what ist he result when testing with machine auth only?
Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
Regards and have a nice weekend
Dominic

How to set restriction for user in sap

Hi,
I have created a user,now i need to restrict the user to work only for 8 hrs per day.HOw can i set timing for the user.Kindly help out regarding this.
Regards
sekar

Sekar,
If you use external authetnication for users when they logon to SAP, then you can control the times they can logon and which days of week (if required). For example, it is possible to use Active Directory authentication to authenticate users to SAP application via SNC or using a custom login module in WebAS Java, and in AD you can set times when logons are allowed. This might be what you are looking for ?
If you want to log somebody off SAP when they have been using it for a period of time, then this can be dangerous if they are in the middle of a complex transaction when they are logged off. Also, I don't think this functionality is included in SAP product. If you don't want somebody to use SAP at certain times of day, then it might be better to force a screen saver at workstation instead, if this is what you want.
Regards,
Tim

Restrict Which Users Can Enter Data In List Form in SharePoint Foundation 2013

Is there a way to restrict which users can enter data in particular fields in a list item entry form?
We are using a SharePoint Foundation 2013 list and calendar to manage vacation time. We need to restrict non-supervisor users users from entering a value in a certain field in the vacation request form.
Here is how the system works now:
1. Employees complete the vacation request form (which creates a list item)
2. An email is sent to their supervisor to either approve or decline the request
3. Approved requests are automatically entered onto the vacation calendar
We have restricted the list so that only supervisors can edit items (the pending vacation requests). The problem is that all users can mark their own requests as approved when they fill out the request form in the first place. Is there a way to restrict
which users can enter data in particular fields on a list item entry form?

Thanks for the suggestion. We ended up 1) hiding the approval column and 2) creating a second list, workflow, etc. The user no longer sees the approval column when filling out the form. Requests are now submitted to list A. Workflow #1 copies the request
to List B, then deletes the item from List A. Once the request is added to List B, Workflow #2 emails the user that the request has been received and emails the supervisor that a request needs to be approved. Only supervisors have editing permissions on List
B. Approved requests are automatically added to the vacation calendar (the calendar view of List B).
We found the following site to be helpful in learning how to hide the list column:
http://community.bamboosolutions.com/blogs/bambooteamblog/archive/2013/06/03/how-to-hide-a-sharepoint-list-column-from-a-list-form.aspx

How to Restrict the users from changing the Default variant of report.

Hello everybody,
The requirement is to restrict the users to save and overwrite the default layout variant (Layout for higher managenet)set for the report, but at the same time they should be able to change and save the other layouts for which they are having access.
I have written the logic in the program which is working fine for all the scenario when we execute the report. But the logic doesnt work if the user is selecting the layout on the output screen of the report.
for e.g if the user runs the report using the layout varaint for which he is having the authorization then he gets the all 4 options so he then he can select the layout for which he is not authorized and he can overwrite.
i have debugged and check as i have found that after the report output is shown all the layout paramater is controllled by the statndard SAP objects.
Can anyone help me out in this issue.
Thankyou in advance.
*to get the default layout variant.
w_save = 'A'.
if p_vari is initial.
    clear disvariant.
    disvariant-report = sy-repid.
    w_variant = disvariant.
    call function 'REUSE_ALV_VARIANT_DEFAULT_GET'
      exporting
        i_save     = w_save
      changing
        cs_variant = w_variant
      exceptions
        not_found = 2.
    if sy-subrc = 0.
      p_vari = w_variant-variant.
    endif.
endif.
*logic to check user authorization to change the layout setting.
if p_vari = c_layout.
    if not sy-uname is initial.
      select single * from agr_users
              where agr_name = c_role
              and   uname    = sy-uname.
      if sy-subrc = 0.
        w_save = 'A'.
      else.
        w_save = ' '.
      endif.
    endif.
endif.
Regards,
Satish.

Hi Maine,
Thanks for your reply.
As you mentioned for your own program, you can control the parameter "I_SAVE", when calling "REUSE_ALV_GRID_DISPLAY".
so already i have use the same logic and control the parameter through I_SAVE and here i am calling method ALV_GRID->SET_TABLE_FOR_FIRST_DISPLAY instead of "REUSE_ALV_GRID_DISPLAY".
and it works fine when we execute the report but the logic doesnt work when the user tries to change and save the layout variant on the output screen of the report.
Regards,
Satish

802.1X wirelss restriction on user authentication

Similar Messages

Maybe you are looking for