802.1x Machine Authentication without AD

Similar Messages

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• 802.1X Machine Authentication ONLY!

  Hi. I have a customer who wants to perform 802.1x machine authentication only to prevent users connecting there own devices to the corporate network. The machine credentials will be authenticated via Cisco ACS which will proxy the authentication to ActiveDirectory. If successful, the 802.1x assigns the port to a VLAN. At this point, the port is 'opened up' and the user can recieve an IP address and can then login to the domain as normal (AD username/password) via the network login screen. Is this a workable solution?
  I basically want the end user to not notice anything new, but 802.1x operates in the background to authenticate the machine before displaying the network login box. To the user, the PC boots and displays the login box and they login as normal :-) If they bring in their own device, it will fail 802.1x machine authentication and will not get any access.
  Has anyone implemented this? Is it a feasible design?
  Thanks
  Darren

  Hi Darren,
  good news for you.. you can do this using the "Machine Access Restriction" on both ACS 4.x and ACS 5.x:
  * ACS 5.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1254965
  * ACS 4.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105
  As soon as the machine performs the 802.1x using the client credentials, the ACS will keep this info on a cache and it will match any further auth attempt (e.g. using the user credentials) for this client using the "Calling-Station-ID", so basically the client's MAC address.
  Depending on whether a client performed or not Machine Authentication before, you can decide whether to assign a sort of restricted access/guest VLAN or to deny access.
  If the personal client doesn't have a 802.1x supplicant at all, then you can decide to enable the guest vlan feature on the switch itself.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Eap-tls wireless machine authentication without AD

  Hi all,
  I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
  I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
  With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
  but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
  My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
  Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
  Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
  Thanks for your help,

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael

• 802.1x, Machine Authentication, Active Directory and eDirectory

  Does anyone think this is feasible as a solution...
  Problem Definition.
  1) Machines all use the netware Client and authenticate to eDirectory initially, then to AD.
  2) I want to use ACS, not Free Radius.
  3) I don't want to use a 3rd party supplicant.
  Possible solution...
  Does anyone think it might be possible to authenticate a machine using a certificate into AD before the user logs in using the netware client. My thinking being this... the user (or machine in this case) will have already been identified as trusted (through AD), will be connected to the network when the user submits their netware credentials. This would mean that netware could be left out of the 802.1x process completely and yet the user would still get a single sign on experience.

  I did. Basically the scenrio I described in the original post worked.
  The only caveat is that user auth still occurs through 802.1x once you submit the user credentials. There are regestry hacks which disable this if you solely want to use machine auth.
  hope this helps

• Machine authentication not working with peap mschapv2

  I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
  TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
  AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
  AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
  AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
  AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
  If anyone can shed some light on this.
  Cheers,
  Andy

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• MAC OS machine authentication

                     any help about configuring MAC OS to work with ISE and 802.1x machine authentication?

  Hi,
  You will need to have the MAC OSX join the active directory domain so it can have the proper machine credentials. If joining the macbook to Active Directory is not a viable solution then having a certificate issued to the macbook would be another option but you would have to user a user certificate.
  If we take a step back, why are you looking to perform machine authentication for a macbook?
  Reference material -
  http://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
  You will need to use a lion server to build a profile based on the instructions above.
  Thanks
  Tarik Admani
  *Please rate helpful posts*

• PEAP strong machine authentication

  Hello there,
  I have some questions regarding PEAP authentication.  Specifically how  Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane  who knows PC  domain name can access network, is it true ?
  Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So I was looking  on ACS logs and it seems that  PC just sent it’s domain name  to ACS, and it authenticates computer  by its name.After this computer have access to network. 
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?

  Please see your answers in line:
  I have some questions regarding PEAP authentication.  Specifically  how  Machine Authentication works and how it is secured. It seems that  if I have enabled Machine Authentication in my network, every wane  who  knows PC  domain name can access network, is it true?
  This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.
  Here is what I mean “ Machine Authentication allows your PC to connect  to the network by authenticating as "Computer" before a legitimate user  logs in. This allows a machine to obtain group policies just like it was  connected to a wired network and this is a unique feature of the  Windows Client.”
  Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So  I was looking  on ACS logs and it seems that  PC just sent it’s domain  name  to ACS, and it authenticates computer  by its name.After this  computer have access to network. 
  The machine should have sent its computer credentials not the domain name (format is computername.domain.com).
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?
  Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.
  One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542
  Tarik Admani
  *Please rate helpful posts*

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• Windows 7 Wireless Logon - Problems with 802.1X Machine & User Authentication

  Hello All,
  We’ve had difficulty with our Windows 7 clients authenticating to our wireless network. I’m hoping someone out there has experienced the same thing and can offer some help.
  Some info about our environment:
  Single Windows 2008 R2 domain with 6 DCs
  MS Radius server
  Aruba wireless controllers
  The Problem:
  The client computer boots,
  Auths as machine (802.1X successful)
  User enters creds
  User auth (802.1X successful)
  To this point, everything is working normally. Next is where it gets weird.
  During the logon process, there is another machine auth
  2-5 minutes later another User auth
  OS is up and usable (connected to wireless network); however, no homefolder is mapped and GPP didn’t apply properly.
  From what I understand, after the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it.
  Can anyone offer some insight to what is causing this? I have logs available if anyone is interested.
  Thanks in advance for any help you can offer!
  Brett
  -- Brett

  I did a network trace to gain more insight. I don’t understand why after 802.1X auth is successful on port 1, it then initiates 802.1X auth on port 2.
  Can you offer any insight?
  10487    3:50:19 PM 8/23/2012    63.0340126                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Authentication Starting   {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  10867    3:50:19 PM 8/23/2012    63.3403904                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Time taken for this authentication = 281 (0x119) ms               
  {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  Then >>>
  11718    3:50:35 PM 8/23/2012    79.3196653                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXDestroySupplicantPort     {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  11938    3:50:36 PM 8/23/2012    80.0530315                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Finished initializing a new port with id=2 (0x2) and friendly name=Dell Wireless 1504 802.11b/g/n (2.4GHz)         
  {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  11959    3:50:36 PM 8/23/2012    80.0556734                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXStartAuthentication           {ONEX_MicrosoftWindowsOneX:126,
  NetEvent:5}
  11964 3:50:36 PM 8/23/2012
  80.0557074 svchost.exe (1036)
  ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Starting a new 802.1X authentication (MSM initiated)
  11965 3:50:36 PM 8/23/2012
  80.0557333 svchost.exe (1036)
  ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Authentication Starting
  -- Brett

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• 802.1x + Machine Account Authentication = Vulnerability?

  Hello forum,
  I'm trying to determine the security implications of utilizing 802.1x authentication/authorization with the "Domain Computers" option selected within ACS. The problem I am having with this scenerio is this:
  1) Client machines are authenticated to the LAN or WLAN based on AD machine account name/password if "Domain Computers" is selected.
  2) Windows XP machines will authenticate 802.1x using the machine account name/password by default upon initial boot and upon log-off.
  3) Once a machine boots up or someone logs off, the 802.1x port status is placed into "Authorized" using machine account name/password credentials.
  4) If you log onto a machine after the port goes "Authorized" (from #3) with a local user or local administrator account you gain "free access" to the network for < 60 seconds (I've done this many times now and you do infact gain "free access.")
  So then the following scenerio comes into play, what if:
  1) Someone steals a laptop.
  2) Compromises a local user or local administrator account on said laptop.
  3) Places the laptop onto either the wired or wireless network.
  4) Reboots the box.
  5) Logs in with local user or local administrator and launches a script (they will have free-access for < 60 seconds before a re-authentication is forced).
  Anyone famliar with this, or any white papers/KB's is/are greatly appreciated!
  Thanks,
  Jeremy

  A small clarification here about your statement:
       "The PC will try machine authentication once it boots up. Once  is entered, the PC initiate 802.1x  authentication by sending     EAPOL start. The AP or switch should change  the state of the PC from authenticated to authenticating. Thus, the PC  should not get network     connectivity unless it passes user authentication  again. If you use a local account to logon to the PC, the PC should not  pass 802.1xauthentication.      At least, that's how Cisco equipment works."
       This is not up to Cisco equipment, the AP has no idea the PC is switching between machine and user mode unless the supplicant on the PC restarts the authentication (via EAPOL-Start as you stated), this is wholey up to the supplicant installed on the PC.  So with this < 60 second window that is being seen here it is most likely due to slow load of the user space/desktop.
  An option to prevent this would be to use a supplicant that can start before login (such as the Cisco Secure Services Client) that way the user is authenticated before they have access to the desktop.
  --Jesse