802.1x PEAP Machine Authentication with MS Active Directory

Similar Messages

• Machine Authentication with PEAP on Wireless with ISE1.2

  Hi All,
  We are facing issues while doing machine authentication in ISE1.2 with wireless PEAP authentication. Without machine authentication normal PEAP works very fine but as soon as we enable machine authentication and create policy for machine authentication and in user authentication policy we put condition "was machine authenticated" then it works for some machine properly but does not work for other machines. Its totally random behaviour sometime it stopped working for machines which were authenticated before.
  I just want to know if I m missing some configuration or its a bug in ISE. Can some body share step by step configuration for machine authentication with PEAP.
  Really It would be a great help.
  Thanks
  Ninja

  Did you Apply service pactch 4?
  Sent from Cisco Technical Support iPhone App

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• OSX and PEAP machine authentication

  We are starting to get a few OSX users in our environment, and they can't seem to authenticate to our wireless network using machine authentication with PEAP. They can bind to AD and I see the computer name in AD, but PEAP fails. Has anyone gotten this working successfully?
  The error we get in the RADIUS logs is:
  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Thanks!

  If you configure PEAP MsChapv2 properly along with the client side, it will work and you will not get any type of error.  I run PEAP or EAP-TLS on customer environments with ACS, ISE, Microsoft Radius and other radius servers with no issues. If you look at the Apple device guide or search for supported 802.1x encryption types, you will see what type of encryption is supported. You just have to setup the radius and the back end to work.
  Scott

• 802.1x Implementation - Machine Authentication

  Hello friends...
  I am trying to implement 802.1x in my network, but I have a problem.
  I have an environment with Cisco ACS appliance 4.1.2.12, switches 3560 12.2(37)SE1 and clients Microsoft Windows XP and 2000.
  My problem is: I want to implement Machine Authentication with PEAP. When I use MS-PEAP (native Windows) the ACS don`t log and the access is not permitted, but when I use Cisco-PEAP (SCC) every works perfectly.
  Could you help me? I need that 802.1x works with MS-PEAP...
  Regards,
  Cris

  Following links can help you with the configuration:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t21
  Hope this helps
  ~Rohit

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• 802.1x peap mschap v2 with MAC Filter + IP Address Permanent

  Hi my name is Ivan, i have an issue
  I have one cisco wlc 5508 with  ios 7.4.100 with a ssid is working with 802.1x peap mschap v2 with mac filter, and I need configure in the web page of the WLC Security > Mac Filter, a MAC and one IP Address permanent to the users.
  I have a service dhcp into the wlc to this profile.
  This configuration works fine for 3 or 4 days. At the  fifth day , my users renew the ip address, and they can not surfing to internet, because in my firewall i have a policy to the users with exactly ip address, for example.
  MAC Filter - IP Address A - UserA
  My policy say:
  PolicyUserA - Internet
  Please, i can establish an filter mac associate to one ip address permanent to one user, when service dhcp in the cisco wlc is active?
  I possible to do it?.
  How can i do it?

  Hi Ivan,
  You can not map the mac-ip address pairs on the WLC DHCP.
  The WLC has a limited DHCP server functionalities. You better to use an external DHCP server with full functionalities and then you can configure the DHCP server to provide the same IP address everytime to each client in your network.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• HT201358 Can ARD3 work with the Active Directory setup on a Windows machine and without the need of Open Directory

  We need the 'Golden Triangle' setup to work with ARD3 running on a Mac server with client Mac details retrieved from a Windows Active Directory. In this system, the ARD3 will be used to install packages from a Mac OS X server, where the client Mac list is gathered directly from a Windows Active Directory, which is already in place.
  So, please guide me whether Apple Remote Desktop 3 is capable of getting client machine details from an Active Directory without the need of re-creating the client Mac list in the Mac server running ARD3.
  If ARD3 can not be used in this case, do you recommend any other tools that can resolve our issue.
  Thank you in advance.
  Sudheesh.

  ARD cannot directly obtain client information from Active Directory, no. It may be possible to create a script that would get such information and be able to put it into ARD, but I wouldn't begin to know how to write such a script. You may also be able to bind your OS X Server to ARD and create groups there. This article is obsolete for 10.6 or later but may provide some clues as to how to proceed:
  http://support.apple.com/kb/TA24276
  There are a number of third-party systems that can manage Macs that may be able to draw information from AD, such as Casper, LANDesk, and others. Which if any would meet your needs depends on many factors including how many devices you need to manage, whether you're looking for a cross-platform tool, your budget, etc. This is a difficult issue to address in a forum like this since there are so many variables to be considered.
  Regards.

• OracleApps HRMS-R12.1.3 Integration with MS Active Directory (win 2008 R2)

  Dear Friends,
  we are using Oracle Apps R12.1.3 and the Microsoft Active Directory : Windows 2008 R2
  we have the following requirement:
  (1)From Oracle Apps to Active Directory.
  -Employee master information needs to be interfaced to Active Directory on a regular interval which should be updated in the active directory.
  (2)From Active Directory to Oracle system.
  -Whenever new email address for an employee is created in Active directory, the information needs to flow to Oracle HRMS.
  Please let us know the method to achieve with minimal latest oracle softwares?
  can it be done over coding from oracle apps without new softwares?
  Is Oracle Apps R12.1.3 certified with Windows 2008 R2 Active Directory?
  Regards,
  DB

  user564706 wrote:
  Dear Friends,
  we are using Oracle Apps R12.1.3 and the Microsoft Active Directory : Windows 2008 R2
  we have the following requirement:
  (1)From Oracle Apps to Active Directory.
  -Employee master information needs to be interfaced to Active Directory on a regular interval which should be updated in the active directory.
  (2)From Active Directory to Oracle system.
  -Whenever new email address for an employee is created in Active directory, the information needs to flow to Oracle HRMS.
  Please let us know the method to achieve with minimal latest oracle softwares?
  can it be done over coding from oracle apps without new softwares?
  Is Oracle Apps R12.1.3 certified with Windows 2008 R2 Active Directory?
  Regards,
  DBPlease update your original thread(s) instead of creating new one(s) -- Integrate Oracle Apps R12 with Microsoft Active Directory
  Thanks,
  Hussein

• Portal Integration with Microsoft Active Directory

  We are working on a project to integrate Oracle9iAS Portal with Microsoft Active Directory. I am wondering if anyone has any experience with this and hence suggestions. Particularly, I'm wondering if its possible and how to use Active Directory to manage the Portal user accounts and group relationships?

  Please note that we finally got this working. For Active Directories sake, I would suggest using userPrincipalName or sAMAccountName as the Unique Attribute. Also, note that Active Directory uses OUs for organization, not CNs, so the search base should be either just the DN of the domain or an OU in the domain. Also, be sure to specify the full DN of the Bind DN as in CN=Administrator,CN=Users,DN=domain,DN=com

• SAP IDM with MS Active Directory (OU names in Arabic)

  Dear Gurus,
  With SAP IDM , we need to integrate with MS Active directory such a way that SAP IDM only fetches users who have “SAP” in one of the AD field. That means do not read entire AD but only fetches users in SAP who have “SAP” tagged in one of the AD field.
  Is it possible ? We tried that in SAP LDAP connector but its not possible in LDAP connector in SAP as LDAP connector is reading through all the users in our CUA system.
  Question is it possible through SAP IDM that we use some thing (maybe  BAPI) to restrict users and do not read all users but only users having “SAP” in one of the AD field.
  Also note that our AD has some OU's name in Arabic.
  Regards,

  If you want to filter this in the ADS Initial Load job then you can modify the repository LDAP Filter:
  (&(objectclass=person)(orgUnit=SAP))
  Replace orgUnit=SAP with your your attribute and tag.
  Br,
  Chris

• ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

  Hello!
  I don't really know, whether this issue has been asked before.
  I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
  ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
  Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
  User authentication works fine, because the user account also is hosted in xyz.domainname.
  The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
  Does anybody knows a solution for this special constellation?
  Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hello Jean,
  I am guessing that you are using 802.1x wireless.
  This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
  This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
  Please see links below that explain this situation.
  http://support.microsoft.com/kb/216393/en-us
  http://support.microsoft.com/kb/904943
  Hope this helps
  Erdelgad
  Cisco CSE

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• 802.1X authentication process in Active Directory joined computer.

  Hi,
  I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
  1. When Windows start up,
  2. it will authenticate to the 802.1x network using computer account.
  3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
  4. once 3 is done, the AD credential will be used to auth to AD again to login.
  Why do we need 3 times of authentication? Why do we need steps 3?
  Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
  Thank you!
  Ah_Chao|| MCSE,VCP,EMCSAe

  Hi,
  According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
  It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
  With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
  logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
  (computer credentials when no user is logged on and user credentials when a user is logged on).
  Detailed description you may reference:
  https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
  And more information about 802.1x, you may reference:
  Understanding 802.1X authentication for wireless networks
  https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Creating a secure 802.1x wireless infrastructure using Microsoft Windows
  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• PEAP : Machine authentication doesn't work

  Hello,
  I'm trying to set up machine authentication and at this time I have some problems.
  I have the following configuration:
  - the users laptop are running WinXP
  - the AP is a 1232
  - ACS 3.3.2
  - external database (Win2000 Active Directory) authentication
  I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
  On the Active Directory I changed the Dial In config. for the computers to allow access.
  Is there anything else that has to be modified in order to perform machine authentication?
  Hope someone will be able to help me.
  Thanks in advance.
  Alex

  Hi Alex
  I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
  I am spending the day to get this working and I'll post what I find out.
  Regards
  Colin