802.1x Implementation - Machine Authentication

Hello friends...
I am trying to implement 802.1x in my network, but I have a problem.
I have an environment with Cisco ACS appliance 4.1.2.12, switches 3560 12.2(37)SE1 and clients Microsoft Windows XP and 2000.
My problem is: I want to implement Machine Authentication with PEAP. When I use MS-PEAP (native Windows) the ACS don`t log and the access is not permitted, but when I use Cisco-PEAP (SCC) every works perfectly.
Could you help me? I need that 802.1x works with MS-PEAP...
Regards,
Cris

Following links can help you with the configuration:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t21
Hope this helps
~Rohit

Similar Messages

802.1x PEAP Machine Authentication with MS Active Directory

802.1x PEAP Machine and User Authentication with MS Active Directory:
I have a simple pilot-text environment, with
- Microsoft XP Client,
- Cisco 2960 Switch,
- ACS Solution Engine (4.1.4)
- MS Active Directory on Win 2003 Server
The Remote Agent (at 4.1.4) is on the same server as the MS AD.
User Authentication works correctly, but Machine Authentication fails.
Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
The Remote Agent shows an error:
See Attachment.
Without Port-Security the XP workstation is able to log on to the domain.
Many thanks for any indication.
Regards,
Stephan Imhof

Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

OS-X - 802.1x and machine authentication

Hi all
I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
- Does anybody have made the same experiences ?
- Has anyone managed to get this running ?
- Can anyone provide me config examples, hint or tipps ?
Everything is very much appreciated since this is an urgent request.
Many thanks in advance
Best regards
Roman

Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
Glad you found resolution with a later version of the OS.
Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

ISE 1.1 - 24492 Machine authentication against AD has failed

We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:

Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

ISE and machine authentication

Hi
I have ISE 1.1 : user authentication is working fine
Now I need to implement machine authentication
But I have 2 requirement
1- User must remove and plug his network cable as he want (without close windows session or restart his computer) and his computer should be authenticated evry time as with user authentication
2- I must not install any software or client applicatin on the computer
Is there any method of machine authentication that respect thise 2 requirements above
Regards

I guess you need to review the below listed thread as we are discussing the same thing. You have to create an authorization rule highlighted in the screen shot.
https://supportforums.cisco.com/message/4044276#4044276
~BR
Jatin Katyal
**Do rate helpful posts**

Machine Authentication by AD

I'm trying to implement Machine Authentication with PEAP in ACS 5.1. The Machine should get autenticated from AD and then user authentication. We don't want to use certificate for authentication. I only selected PEAP EAP-MS-CHAPv2 protocol in Allowed Protocol.
I can authenticate by user but not by machine. We have 2008 AD. Is there any settings or any grouping i have to do on AD side or in ACS.
If someone can give us some suggestion or documentation then it will really help us solve the problem.
Thanks for your help.

The ideal solution to avoid non-domain machines is to put Machine Access Restriction on the ACS. Where in the user has to pass machine authentication and user authentication from the same machine to be allowed access to the network, else if the machine authentication fails (for iphones or non-domain machine) and only user authentication passes-- ACS will deny the user connection.
Here is the details of this feature:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213
Snip:
"ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required."
Hope that helps!
Regards,
~JG
Do rate helpful posts

802.1X Machine Authentication ONLY!

Hi. I have a customer who wants to perform 802.1x machine authentication only to prevent users connecting there own devices to the corporate network. The machine credentials will be authenticated via Cisco ACS which will proxy the authentication to ActiveDirectory. If successful, the 802.1x assigns the port to a VLAN. At this point, the port is 'opened up' and the user can recieve an IP address and can then login to the domain as normal (AD username/password) via the network login screen. Is this a workable solution?
I basically want the end user to not notice anything new, but 802.1x operates in the background to authenticate the machine before displaying the network login box. To the user, the PC boots and displays the login box and they login as normal :-) If they bring in their own device, it will fail 802.1x machine authentication and will not get any access.
Has anyone implemented this? Is it a feasible design?
Thanks
Darren

Hi Darren,
good news for you.. you can do this using the "Machine Access Restriction" on both ACS 4.x and ACS 5.x:
* ACS 5.x:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1254965
* ACS 4.x:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105
As soon as the machine performs the 802.1x using the client credentials, the ACS will keep this info on a cache and it will match any further auth attempt (e.g. using the user credentials) for this client using the "Calling-Station-ID", so basically the client's MAC address.
Depending on whether a client performed or not Machine Authentication before, you can decide whether to assign a sort of restricted access/guest VLAN or to deny access.
If the personal client doesn't have a 802.1x supplicant at all, then you can decide to enable the guest vlan feature on the switch itself.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,

When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

802.1x TLS (Machine certifcate) authentication in Snow Leopard

Hi,
In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
Client logs:
2010/05/14 10:37:12.872405 update_configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer>
</array>
<key>Description</key>
<string>Automatic</string>
<key>EAPFASTProvisionPAC</key>
<true/>
<key>EAPFASTUsePAC</key>
<true/>
<key>TLSIdentityHandle</key>
<data>
[Removed]
</data>
<key>TLSTrustedCertificates</key>
<array>
<data>
[In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
</data>
</array>
<key>TLSVerifyServerCertificate</key>
<true/>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
</plist>
2010/05/14 10:37:12.968769 link up
2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
2010/05/14 10:37:12.972850 Receive Packet Size 77
Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 59
EAP Request (1): Identifier 1 Length 59
Identity (1)
length 59 - sizeof(*rd_p) 5 = 54
[Removed. In here there is our networkid,nasid and portid ]
2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>1</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:12.976795 EAP Request Identity
2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
2010/05/14 10:37:12.976832 Transmit Packet Size 39
Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 35
EAP Response (2): Identifier 1 Length 35
Identity (1)
length 35 - sizeof(*rd_p) 5 = 30
(Removed raw data with the SAN ]
2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>IdentityAttributes</key>
<array>
<string>networkid=[Removed our SSID]</string>
<string>nasid=[Removed our WLANC ID]</string>
<string>portid=29</string>
</array>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>2</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:13.022577 force renew
2010/05/14 10:37:13.025323 stop
* Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
* Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
* How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
Thanks
Jofre

Hi,
some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.
If we compare a PC and A MAc we have the follwoing.
PC:
1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
Continues OK
While on a Snow Leopard are:
44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure
after analizin the network traces we see that the different is on the 3rd EAP Packet:
PC:
4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
802.1X Authentication
Version: 1
Type: EAP Packet (0)
Length: 40
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 40
Type: Identity [RFC3748] (1)
Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM
Mac Snow Leopard:
46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
802.1X Authentication
Version: 1
Type: EAP Packet (0)
Length: 35
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 35
Type: Identity [RFC3748] (1)
Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM
that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:
User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
while in the PC case we have:
PC:
User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
Policy-Name = Allow Wireless Lan Access With Certificate
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
* Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
* Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?
Thanks
Jofre

Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
Glad you found resolution with a later version of the OS.
Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

802.1x Wireless - Enforce user AND machine authentication

I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
I'd rather not have to deploy user and machine certificates.
All I want to do is allow access to the wireless network only if the device and the user are in AD.
It's such a simple scenario that I must be missing something.
Any suggestions are welcome. Thanks in advance for your comments.
Lucas

In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

802.1x Machine Authentication without AD

Hello,
I'm new to 802.1x security, and i'm wondering if it's possible to do windows machine authentication without an active directory?
Thanks,
Dan.

Hi,
Windows Machine authentication requires machine credentials, and these credentials can only exist on the AD.
What you can do is authenticate the machine using its MAC address (Mac authentication bypass), and for this you only need to configure mab on the switch, make sure the client do not speak dot1x and create the user with username/password = mac address on the RADIUS server.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Anyconnect 802.1x - "switch user" is blocked in machine authentication

hi all,
I know this is not a bug its a feature
that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
however
I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
or maybe there is already some trick/configuration step that I missed and it can be done?
regards
Przemek

hi all,
I know this is not a bug its a feature
that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
however
I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
or maybe there is already some trick/configuration step that I missed and it can be done?
regards
Przemek

Is LDAP or AD as a external identity store recommended in ISE implementation for machine authentication

Hi Experts,
I have question about External identity store integration in ISE . I had chance to go through the cisco doc for ISE configuration especially for external identity store .
there are two ways to configure external identity store.
1) AD
2) LDAP
Which one is actually recommended ? technically which one would be convinient to configure to set-up machine authentication. do we have any limitation in terms of functionality in either of one ?

Hi Leo,
its not duplicate post , I have created one more post where you have linked that is for client policy enforcement . I want to understand how certificates will be pushed to client.
This post is to understand the LDAP & AD intergration with ISE .
I have requirement where client is asking to intergrate machine database using LDAP.
I am quite new for LDAP intergration that is the reason I have created this discussion.

Machine authentication in Aironet

i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
i'm using EAP in AP
and PEAP with certificates in NPS
i'm forcing laptops to use "computer authentication" through a GPO
certificates already deployed to All machines
policy is configured in NPS with "machine group" condition
the problem i'm facing that their is some laptops are authenticated successfully while the others are not
all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
here is what i saw in AP after enabling debug radius authentication
the working machines
*Mar 4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
*Mar 4 20:25:34.125: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:25:34.126: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:25:34.126: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:25:34.126: RADIUS: 32 [2]
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
*Mar 4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar 4 20:25:34.126: RADIUS(00000009): sending
*Mar 4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
*Mar 4 20:25:34.127: RADIUS: authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
*Mar 4 20:25:34.127: RADIUS: User-Name [1] 23 "host/FADI-LT.domain.com"
*Mar 4 20:25:34.127: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:25:34.128: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:25:34.128: RADIUS: Calling-Station-Id [31] 16 "0811.9699.ba30"
*Mar 4 20:25:34.128: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:25:34.128: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:25:34.128: RADIUS: 1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9 [?E?Z]???s?????b?]
*Mar 4 20:25:34.128: RADIUS: EAP-Message [79] 28
*Mar 4 20:25:34.128: RADIUS: 02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C [?????host/FADI-L]
*Mar 4 20:25:34.129: RADIUS: 54 2E 61 64 61 73 69 2E 61 65 [T.domain.com]
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:25:34.129: RADIUS: NAS-Port [5] 6 263
*Mar 4 20:25:34.129: RADIUS: NAS-Port-Id [87] 5 "263"
*Mar 4 20:25:34.129: RADIUS: NAS-IP-Address [4] 6 10.10.64.229
*Mar 4 20:25:34.129: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
*Mar 4 20:25:34.167: RADIUS: authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
*Mar 4 20:25:34.167: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:25:34.167: RADIUS: EAP-Message [79] 8
*Mar 4 20:25:34.167: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:25:34.167: RADIUS: State [24] 38
the non working machines
*Mar 4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.949: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.949: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.949: RADIUS: 32 [2]
*Mar 4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar 4 20:26:18.950: RADIUS(0000000A): sending
*Mar 4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
*Mar 4 20:26:18.951: RADIUS: authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
*Mar 4 20:26:18.951: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.951: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.951: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.951: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.951: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.951: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.951: RADIUS: 06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA [??U?mE???ss,??(?]
*Mar 4 20:26:18.952: RADIUS: EAP-Message [79] 23
*Mar 4 20:26:18.952: RADIUS: 02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E [?????domain\user]
*Mar 4 20:26:18.952: RADIUS: 61 64 6D 69 6E [name]
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.952: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.952: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.952: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.953: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
*Mar 4 20:26:18.980: RADIUS: authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
*Mar 4 20:26:18.981: RADIUS: Session-Timeout [27] 6 30
*Mar 4 20:26:18.981: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.981: RADIUS: 01 03 00 06 0D 20 [????? ]
*Mar 4 20:26:18.981: RADIUS: State [24] 38
*Mar 4 20:26:18.981: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.982: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.982: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.982: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.982: RADIUS: 1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47 [?????F?????&0IcG]
*Mar 4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
*Mar 4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar 4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar 4 20:26:18.986: RADIUS: AAA Unsupported Attr: ssid [265] 9
*Mar 4 20:26:18.986: RADIUS: 63 6F 72 70 6F 72 61 [corpora]
*Mar 4 20:26:18.987: RADIUS: AAA Unsupported Attr: interface [157] 3
*Mar 4 20:26:18.987: RADIUS: 32 [2]
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar 4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar 4 20:26:18.987: RADIUS(0000000A): sending
*Mar 4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
*Mar 4 20:26:18.988: RADIUS: authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
*Mar 4 20:26:18.988: RADIUS: User-Name [1] 18 "domain\username"
*Mar 4 20:26:18.988: RADIUS: Framed-MTU [12] 6 1400
*Mar 4 20:26:18.988: RADIUS: Called-Station-Id [30] 16 "0027.0c68.1dc0"
*Mar 4 20:26:18.988: RADIUS: Calling-Station-Id [31] 16 "0022.faf1.9258"
*Mar 4 20:26:18.988: RADIUS: Service-Type [6] 6 Login [1]
*Mar 4 20:26:18.988: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.989: RADIUS: 3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F [=???n??+Q??????_]
*Mar 4 20:26:18.989: RADIUS: EAP-Message [79] 8
*Mar 4 20:26:18.989: RADIUS: 02 03 00 06 03 19 [??????]
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Mar 4 20:26:18.989: RADIUS: NAS-Port [5] 6 264
*Mar 4 20:26:18.989: RADIUS: NAS-Port-Id [87] 5 "264"
*Mar 4 20:26:18.989: RADIUS: State [24] 38
*Mar 4 20:26:18.990: RADIUS: 15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E [???????7??????@?]
*Mar 4 20:26:18.990: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 [????????????????]
*Mar 4 20:26:18.990: RADIUS: 55 9E B9 77 [U??w]
*Mar 4 20:26:18.990: RADIUS: NAS-IP-Address [4] 6 X.Y.64.229
*Mar 4 20:26:18.990: RADIUS: Nas-Identifier [32] 4 "AP"
*Mar 4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
*Mar 4 20:26:18.992: RADIUS: authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
*Mar 4 20:26:18.992: RADIUS: EAP-Message [79] 6
*Mar 4 20:26:18.993: RADIUS: 04 03 00 04 [????]
*Mar 4 20:26:18.993: RADIUS: Message-Authenticato[80] 18
*Mar 4 20:26:18.993: RADIUS: FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9 [?!t???????:5E???]
*Mar 4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
*Mar 4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar 4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
obviously the machine who send machine name (host\machinename) will be authenticated successfully
and machines who send username (domain\username) will not be authenticated successfully
now
i tested those unsuccessful machines in a wired dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
i suspected that this is maybe because of the AP config
here it is
Current configuration : 2662 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP
enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
aaa new-model
aaa group server radius rad_eap
server X.Y.64.30 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip domain name domain
dot11 ssid corporate
vlan 64
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
mbssid guest-mode
dot11 network-map
power inline negotiation prestandard source
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 64 mode ciphers aes-ccm
ssid corporate
mbssid
station-role root
interface Dot11Radio0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.64
encapsulation dot1Q 64 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address X.Y.64.229 255.255.255.0
no ip route-cache
ip default-gateway X.Y.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cable RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
end

Hi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

802.1x Implementation - Machine Authentication

Similar Messages

Maybe you are looking for