Machine authentication with Windows 7

Similar Messages

• Machine Authentication with PEAP on Wireless with ISE1.2

  Hi All,
  We are facing issues while doing machine authentication in ISE1.2 with wireless PEAP authentication. Without machine authentication normal PEAP works very fine but as soon as we enable machine authentication and create policy for machine authentication and in user authentication policy we put condition "was machine authenticated" then it works for some machine properly but does not work for other machines. Its totally random behaviour sometime it stopped working for machines which were authenticated before.
  I just want to know if I m missing some configuration or its a bug in ISE. Can some body share step by step configuration for machine authentication with PEAP.
  Really It would be a great help.
  Thanks
  Ninja

  Did you Apply service pactch 4?
  Sent from Cisco Technical Support iPhone App

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• Authentication with Windows NT Server

  Hi guys!
  Our customer has a domain with Windows Server 2003 and Windows Server NT, only users in the Windows Server 2003 appears when we create a access policy for authenticated users. This domains has a trust relationship, WSA supports Windows NT?
  Regards,

  You will need 2 authentication realms if your not going to use the AD authentication connector for NT 4.0. The firts authentication realm will be NTLM and connect to the NT4.0 PDC server. Next you will need an AD auth realm which will be configured using LDAP. If by chance you have a 2 way transitive trust and the AD connector installed on the NT 4.0 PDC server as well as configured to talk to the 2003 AD server then you could actully just use one authentication realm. To answer your question we do not have a tutorial on configuring NT 4.0 fro authentication as this technology is not supported by Microsoft as it is EOL.
  Sincerely,
  Erik Kaiser
  Cisco WSA Forums Moderator

• Lync 2013 Authenticating with Windows Account Every Minute

  Seeing a strange issue with Lync 2013 client logging into my Windows Account about every 1-2 minutes. We are using Lync Server 2013 (on-premise) so it makes no sense that it is logging into and authenticating against Windows Account. This was causing major
  issues as my Windows Account password was different than my company domain login. This was causing Lync to use the "wrong" password to login into Windows Account. I changed the  passwords to match and now still seeing Lync logging in constantly
  into Windows Account.
  This is adding up to a LOT of data traffic. Lync should NOT be authenticating every 1-2 minutes into my Windows (Live) Account. Help please!

  Hi,
  Did the issue happen only for you or for multiple users?
  Please exist Lync client, delete user profile on local computer with the following path, then restart Lync client:
  %UserProfile%\AppData\Local\Microsoft\Office\15.0\Lync
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Retrieving Time Machine Files with Windows or Other Mac

  Hi everyone. I'm using a MacBook 4,1 running 10.6.8 and I also have an external hard drive in order to use Time Machine for backup.
  If my MacBook dies then all I'm left with is the aforementioned external drive. However since my files have been backed up via Time Machine – and not the usual copy/paste method – what happens then? Do I need to buy a new Mac or is it possible to retrieve those files with a computer running Windows?
  Please keep in mind that I only have one account – the administrator one – which is password protected, requested at login. In case I can't possibly retrieve them with Windows and I buy a new Mac, will the fact that they are password protected be a problem and prevent me from accessing them?
  I can't possibly try it out myself because I don't have any other Mac or Windows computer/laptop.
  Any insight is more than welcome. Thank you for your time.

  If my current MacBook stops working and I get to buy a new Mac, is it possible to choose individual files (like iTunes libraries only, or pictures folders etc.) from my current Time Machine backup on my external HD and move them to my new Mac, instead of loading my entire backup on to the new one? (including system files and other files that I don't really need).
  Pretty much how one might use Time Machine, where you browse backups by date, find the folders and files that you want and restore them back. You don't restore the entire backup.

• Long time wait for authentication with Windows 2003 AD

  Hello,
  We have a problem with authentication with 2003 AD. If it was no requests from VDI to Windows 2003 AD during some time (10-15 minutes), first request take a lot of time - 3-5 minutes and user need to wait after entering his username/password. Searching users in VDI GUI also take a lot of time in this situation.
  How to resolve this? Size of directory is very small.
  And with 2008 AD and Open LDAP there is no such problem.

  Same thing for 2003, it is called IAS (Internet Authentication Service).
  http://www.microsoft.com/technet/network/ias/default.mspx
  Basically you will set up IAS with a RADIUS Client which would be your wireless access point(s). Then you will set up a remote access policy which will define how connections are authorized or rejected (windows groups, protocols etc.). Don't forget to register IAS with active directory.

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• ACS Server MAC Authentication with Windows Database

  Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

  Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

• 802.1x Authentication with Windows and MAC

  Hello Team;
                I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
  Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.

  Hello Sreejith,
  As per your query i can suggest you the following steps-
  No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
  1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
  2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
  3.Click the Security tab, and then, in the Security Type list, click 802.1X.
  4.In the Encryption Type list, click the encryption type you want to use.
  On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
  5.In the Choose a network authentication method list, click the method you want to use.
  To configure additional settings, click Settings.
  Hope this will help you.

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

• Wireless Phone 7925 authentication with Windows NPS

  Hello,
  I try to enable Authentication on our Wireless phone 7925 that are connected on WLC.
  Can I use Windows NPS?
  I try to use it without success, phones are not able to authenticate.
  Someone can help me?
  Thanks a lot!
  Seb

  Same thing for 2003, it is called IAS (Internet Authentication Service).
  http://www.microsoft.com/technet/network/ias/default.mspx
  Basically you will set up IAS with a RADIUS Client which would be your wireless access point(s). Then you will set up a remote access policy which will define how connections are authorized or rejected (windows groups, protocols etc.). Don't forget to register IAS with active directory.

• Apache SSL Client Authentication with Windows Mobile

  The biggest question I have here is if anyone has actually made this work. I would think this would be pretty standard...
  On our HTTP server I have protected folders setup with Certificate Based Client Authentication. Each folder requires a unique client certificate.
  This works perfectly with IE & Firefox running on PCs.
  The problem I have is trying to authenticate a Windows Mobile Device.
  I can authenticate the CA certificate but nothing in the client certificate.
  In ssl.conf I have the following parameters for each folder:
  SSLRequire %{SSL_CLIENT_S_DN_O} eq "Our Organization"
  SSLRequire %{SSL_CLIENT_S_DN_CN} eq "User Division Level"
  SSLRequire %{SSL_CLIENT_S_DN_OU} eq "User Level"
  The only parameter that Apache is able to validate from the device is DN_O and that is coming from the CA certificate.
  DN_CN & DN_OU are contained in the user certificate but it is not able to validate those.
  Anyone have any ideas on this?
  Edited by: Alan3 on Nov 20, 2008 2:15 PM

  Bump.
  Is anyone out there using Win Mobile devices with Oracle HTTP server?