Acs 4.2 PEAP machine authentification wireless

Hi,
here at work, we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.
PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting (I'm a network guy, I'll have to check more on this to be sure...)
I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.
Is there a way I could configure this without having to disable machine authentification for SSID B?
thank you

hi thank you for the quick answer,
however we don't have machine access restriction, in the windows eap setting we only have enable PEAP machine authentification.
this is ok because we want our notebook to be able to have access to the wifi (for gpo) before the user logon and we want any user to be able to use their own device. we are a educationnal institute, we don't want to force the teachers and student to only use the equipement we provide we want to give them more power over their choice of equipement.
SSID A is the student network, and SSID B is the teachers network.
the problem we have is some student use their active directory joined computer to get access to the SSID B. If they use their user credentials they won't have access. and as user bring their own device we can't force an peap machine authentification because students and teachers are allowed to BYOD.
is there a way to restrict machine  (let's say in an OU) access to an SSID?

Similar Messages

  • ACS appliance 4.1 - machine authentification from trusted Domain failed

    We have a acs appliance 4.1 with a agent running on a X domain controller to authenticate user's from the X domain active directory.
    User's and Computer's are able to authenticate without any issue on X domain.
    We have recently add a trusted Y domain on this X domain.
    User's from Y domain are able to authenticate on our ACS without any issue , but machine are not able to authenticate.
    03/14/2011
    10:44:32
    Authen failed
    host/FLADWS0072.Ydomain
    Default Group
    00-26-82-d6-9b-3f
    (Default)
    External DB user invalid or bad password
    Machine use is the following settings to authenticate :
    EAP type : EAP (PEAP) 
    Authentification method : EAP-MSCHAP v2
    On Y domain active directory :
    Remote access permission is ok for machine
    On ACS applicance :
    "Enable PEAP machine authentication" is select + the machine from X Domain are authenticate without any issue.
    Any idea where is should start to invetigate ?
    Tks in advance for your help

    Dear Valued Cisco Customer,
    I will be out of the office from 03/20/2010 until 04/04/2010. During
    this time, I will have no access to email or voicemail. If you require
    assistance during my absence, please contact Manivannan Srinivasan via
    phone at 469-255-4806 or via email at [email protected] and this
    engineer will continue to work any immediate concerns you may have at
    this time. If this issue can wait until my return on 04/05/2010, I will
    be glad to continue working with you. If you require assistance outside
    of our business hours (10:00am - 7:00pm CST), please contact the TAC by
    calling 1800-553-2447 or email [email protected] and request to have the
    service request re-assigned.
    Best Regards,
    Abhishek Neelakanata

  • ACS 4.1 PEAP using public signed certificate (verisign)

    Hi,
    Could you give me some advice about the PEAP implementation with ACS server. I undestand that self-signed certificate should work well but I have this thoughts. The self signed certificate is valid for 1 year and after this period a new self-signed certificate has to be created. What should be the impact on the wireless users at this point? What I undestand is that the new certificate should be also imported to the clients so they can validate the server certificate. If that is correct (not sure though) this will bring huge amount of work when the certificate is expired and having hurderds of wireless clients.
    Is it possible (and what are the requirements of the certificate itself) to install any publicly signed certificate like Verisign's one to the ACS for the PEAP process? Will that ease the workload when the certificate has to be renewed? I  assume that any windows machine for example, has by default trusted root certificates - Verisign in its store and no further interaction should be needed on the client side.
    kind regards
    Boris

    hi there ..
    First we need to understand why a cert is importnat. A cert is used to create a tunnel that allows the wireless client to send their logon in a secure fashion. So if you could image a tunnel over wireless/wired between your client and the radius server.
    The idea of trusting the cert is SPECIFIC to the wireless client . You can choose to TRUST the cert or NOT. Totally client independent. Why this is important, suppose for a moment that someone comes into your place of business and broadcast from their AP your SSID. Your clients could attach to this AP. And suppose the run FREERADIUS on a small box. From this radius server this person sends a BOGUS cert. If you client isnt trusting the correct cert or not trusting ANY, your client will accept the bogus cert, build a TLS tunnel, and send their logon.
    Can you get a signed cert. Yes, most folks do as it eases deployment. Or if you have a PKI you can push your own cert.
    Also, note you can have your client really analyze the cert and only trust specific certs and cert common namesl exmaple ACS01-ABC.
    I hope this helps ..
    Please support the rating system if you find any of this helpful!

  • 802.1x PEAP Machine Authentication with MS Active Directory

    802.1x PEAP Machine and User Authentication with MS Active Directory:
    I have a simple pilot-text environment, with
    - Microsoft XP Client,
    - Cisco 2960 Switch,
    - ACS Solution Engine (4.1.4)
    - MS Active Directory on Win 2003 Server
    The Remote Agent (at 4.1.4) is on the same server as the MS AD.
    User Authentication works correctly, but Machine Authentication fails.
    Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
    The Remote Agent shows an error:
    See Attachment.
    Without Port-Security the XP workstation is able to log on to the domain.
    Many thanks for any indication.
    Regards,
    Stephan Imhof

    Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

  • Problems with 802.1x MS PEAP machine and user authentication

    Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
    We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
    Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
    There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
    We are using MS-CHAPv2.

    Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
    However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
    I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
    Any idea how the domain\ can be ignored by ACS?

  • How to restart base station from airport utility? I used to be able to do it remotely  I currently use a Mac Pro 10.8.4 and have a time machine for wireless 6.3 (630.34). Sometimes I cannot connect to the internet and use network preferences to diagnose t

    How to restart base station from airport utility? I used to be able to do it remotely
    I currently use a Mac Pro 10.8.4 and have a time machine for wireless 6.3 (630.34). Sometimes I cannot connect to the internet and use network preferences to diagnose the issue. This results in being told to restart the wireless. The airport utility includes the drop down option of restarting but is not clickable so I can't choose it.
    With my prior macbook and same time capsule, etc  if i had problems connecting to the internet I would run network diagnostics to help out. This included clicking on the airport utility ---> base station --> restart. This worked most of the time.
    Bottom line, is there something I am missing in not being able to restart the wi-fi remotely? ]
    Thanks in advance

    You are likely forgetting a step.
    Open AirPort Utility
    Click on the Time Capsule icon
    Click Edit in the small window that appears
    Now click the Base Station menu.....top of the screen....not the Base Station "tab" in the center of the screen
    Click Restart

  • Looking for a back up drive for photos and videos that works with time machine, prefer wireless. Time capsule has poor reviews and already have BT hub

    Looking for a back up drive for photos and videos that works with time machine, prefer wireless. Time capsule has poor reviews and already have BT hub that serves as a good router. 3gb or 4gb capacity preferred but 2 would suffice.

    Plug a NAS into the BT Hub that does TM. Look at Synology.
    You just use the wireless of the hub.
    But the cheapest solution is still the TC.

  • ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

    Hello!
    I don't really know, whether this issue has been asked before.
    I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
    ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
    Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
    User authentication works fine, because the user account also is hosted in xyz.domainname.
    The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
    Does anybody knows a solution for this special constellation?
    Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hello Jean,
    I am guessing that you are using 802.1x wireless.
    This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
    This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
    Please see links below that explain this situation.
    http://support.microsoft.com/kb/216393/en-us
    http://support.microsoft.com/kb/904943
    Hope this helps
    Erdelgad
    Cisco CSE

  • Testing Windows 8 Consumer Preview with ACS 5.2 PEAP auth

    We are deploying ACS 5.2 to replace our ACS 4.2 in production.  I have two wireless networks setup as WPA2-Enterprise.  One points at the ACS 4.2 and the other at the ACS 5.2.  Both use the same SSL certificate with the same CN.  Both authenticate Windows 7 clients.  However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2.  The error it gives is:
    11051 Radius packet contains invalid state attribute
    It also shows no authentication method (most of the time).
    Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be.  On those requests, I get error:
    24444 Active Directory operation has failed because of an unspecified error in the ACS.
    Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
    Anyone have any ideas?  Is there any other information I can provide to help troubleshoot?  I know Windows 8 is not even out yet.  But, it would be nice to have it working.
    Thanks!
    Jodie

    Thanks Tarik!  I appreciate the detailed steps to collect the information to help troubleshoot this issue.
    Here are the logs requested:
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'ping' in thread 3029719968
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'MS-RPC user authentication' in thread 3054898080
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute I:IPCClient1::doNetLogonSamLogon - user=SH-HIS\jcrouch
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Find GUID: fa61e77fbfc98044b7153bf5abc9fd78 (7)
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB Connect to server sh-dc03.shv.lsuhsc-s.edu
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.controllers Updated controller info: last update = Wed May  2 08:01:16 2012, siteName = 'LSUHSC-S', m_serviceType = KDC, domain = 'SHV.LSUHSC-S.EDU', site list = (sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88), inferior list = (afm-dc01.shv.lsuhsc-s.edu:88)
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:198 rc: -1765328352)
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG smb.rpc.schannel SecureChannel::close: m_fh=0x0
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB disconnect from server sh-dc03.shv.lsuhsc-s.edu
    May  2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute O:IPCClient1::netLogonSamLogon - user=SH-HIS\jcrouch (ntStatus=0xc0000001)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main now = Wed May  2 08:16:46 2012, nextPasswordChange: Wed May  2 08:50:46 2012, lastKrb5ConfUpdate: Thu Jan  1 00:00:00 1970, lastKrb5Renew: Wed May  2 08:03:16 2012, lastBindingRefresh: Wed May  2 08:16:16 2012, lastCacheCleanup: Wed May  2 08:16:16 2012, lastPrevalidate: Wed May  2 08:03:16 2012, lastChkDatadir: Wed May  2 08:12:46 2012, lastAzmanRefresh: Wed May  2 08:15:16 2012
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC) failed: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
    May  2 08:16:46 sh-netacs2 last message repeated 3 times
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu failed: KDC refused skey: Clock skew too great
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo start updateDomainInfoMap
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using existing search marker
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC-S.EDU <-> LSUHSC-S
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: SHV.LSUHSC-S.EDU <-> SH-HIS
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: EAC.LSUHSC-S.EDU <-> LSUMC-EAC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC.EDU <-> LSUHSC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: MASTER.LSUHSC.EDU <-> LSUMC-MASTER
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using domainInfoMap from cache, it was not expired  (size=5)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = LSUHSC-S.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-4197722968-216021789-2322446462
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUHSC-S
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=shv,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = SHV.LSUHSC-S.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-341470825-1660045691-689510791
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = SH-HIS
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=eac,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = EAC.LSUHSC-S.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-1451108202-1290631035-623647154
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUMC-EAC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=lsuhsc.edu,CN=System,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = LSUHSC.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-2419512895-2621689230-2851238096
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x8
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUHSC
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = NO
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=master.lsuhsc.edu,CN=System,DC=shv,DC=lsuhsc-s,DC=edu
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = MASTER.LSUHSC.EDU
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-2113824390-172908180-308554878
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x4
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUMC-MASTER
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = NO
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG util.except (TryAgain) : start up not complete (reference base/adagent.cpp:2201 rc: 0)
    May  2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main Delay /etc/krb5.conf update, start up not complete
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
    May  2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock

  • OSX and PEAP machine authentication

    We are starting to get a few OSX users in our environment, and they can't seem to authenticate to our wireless network using machine authentication with PEAP. They can bind to AD and I see the computer name in AD, but PEAP fails. Has anyone gotten this working successfully?
    The error we get in the RADIUS logs is:
    ACS has not been able to confirm previous successful machine authentication for user in Active Directory
    Thanks!

    If you configure PEAP MsChapv2 properly along with the client side, it will work and you will not get any type of error.  I run PEAP or EAP-TLS on customer environments with ACS, ISE, Microsoft Radius and other radius servers with no issues. If you look at the Apple device guide or search for supported 802.1x encryption types, you will see what type of encryption is supported. You just have to setup the radius and the back end to work.
    Scott

  • ACS 5.4 with DACL over wireless and wired network

    Hi my name is Ivan, I have a question
    I have a deployment in my network wired at this way:
    Profile 1: corporate's users are working with 802.1X to authenticate computers and users with eap peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to the Active Directory.
    Profile 2: Telephonies IP authenticate with MAB. All the Mac Address are registered in to the ACS locally.
    Profile 3: user guest authenticate with portal web from Cisco Wireless Lan Controller over the wired network, and the account exist in to the WLC Lobby Ambassador
    A my deployment in the wireless network is in this way:
    Flex Connect with central authentication and local switching to connect 15 sites over the wan network.
    SSID 1: users corporate working with 802.1X to authenticate users with peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to Active Directory.
    SSID 2: users guest working with portal web from Cisco Wireless Lan Controller over the wireless network, and the account exist in to the WLC Lobby Ambassador.
    I would like to configure in the Cisco ACS 5.4 Downloadable Access List (DACL) to use in my network wired and wireless.
    How can I do it to my scenary?
    Please could you help me?
    Regards
    Ivan.

    Hello. To avoid confusion, let's divide the WLC based upon the operating system.
    There are WLCs who run AirOS. That includes WLC 4400, but also includes WLC 5500.
    There are WLCs who run IOS-XE. That includes the new Catalyst 3850-X and WLC 5700. (also I think can run AirOS too).
    IOS-XE fully support DACL. On the other hand AirOS support DACL partially.
    From ACS point of view, when you configure DACL for IOS you configure not only the name of the access-list, but also the access-list entries. That way the IOS devices don't need to have the ACLs pre-configured. This is great because  you only need to create and update the access-list entries from only one place (which is ACS) and deploy easily to hundreds of switches.
    On the other hand, when ACS configures DACL for AirOS it can only specify the name of the access-list. The AirOS device needs to configure the access-list with a name exactly as configured on the ACS. Sadly, each AirOS device also needs to configure all acess-list entries.
    It seems you want to configure DACL along with other attributes. If you explain me a little more your requirement I can show you what to configure.
    Best regards

  • PEAP : Machine authentication doesn't work

    Hello,
    I'm trying to set up machine authentication and at this time I have some problems.
    I have the following configuration:
    - the users laptop are running WinXP
    - the AP is a 1232
    - ACS 3.3.2
    - external database (Win2000 Active Directory) authentication
    I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
    On the Active Directory I changed the Dial In config. for the computers to allow access.
    Is there anything else that has to be modified in order to perform machine authentication?
    Hope someone will be able to help me.
    Thanks in advance.
    Alex

    Hi Alex
    I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
    I am spending the day to get this working and I'll post what I find out.
    Regards
    Colin

  • ACS - Verisign Cert - PEAP Auth - XP Clients

    Hi
    I am hoping to implement PEAP using a server certificate on ACS generated from a real CA like Verisign/Thawte etc to prevent having to distribute an internal root CA certificate to all clients.
    I have discovered that Verisign provide a WLAN Auth certificate product , but this appears to be specificlly for IAS.
    Does anybody know whether I can just generate a certificate reest from the ACS box and use any certificate , or is there a particular type I need?
    Any help would be much appreciated!
    Thanks
    Leon

    CTA can be configured to perform machine authentication using certificates provided that the 802.1x Wired Client has been installed.Refer http://cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870ac.html for more information.

  • How to restore time machine from wireless hard drive?

    I backed up my data to a wireless hard drive before I wiped my hard drive. But now I'm having trouble restoring it.
    Can't restore it from time machine, as it was not fully complete.
    Migration assistant asks for a password to the hard drive, which I don't know. The person in my family who bought the drive entered it, but then migration asssistant greys out continue and nothing seems to happen
    I opened the hard drive myself and there's a bunch of blank files named 01 349 049 984 and such. No extension.
    Help?

    The exhaustive list of backup devices supported by Time Machine consists of Time Capsule and locally connected and mounted volumes, period. Time Machine can use NAS devices, but there are many caveats including but not limited to the necessity for AFP to be running on the server. Wireless storage devices introduce yet another element of uncertainty.
    OS X Mountain Lion: Disks you can use with Time Machine
    Anything else, and you're a test pilot. Let Apple know how it works for you.

  • ACS 5.3 Dot1x for Wired/Wireless

    Hi Community,
    I have a query regarding ACS 5.3 installation. I have wired and wireless clients in my setup, with Nexus 5k and 45k Switches and WLC-5508. Also we are using MicroSoft AD to authenticate clients for Network access.
    My questions are
    1.       Can we configure dot1x in this scenario to use Password only (no certificates needed at all)? OR we must need certificates in order to config it perfectly (like AD and ACS synch issues etc)?
    2.       If Yes can someone point out to any good docs that can help  ?
    Regards,
    Hammad

    Hi Jatin,
    Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.
    I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?
    I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.
    #$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: ABC\shuser
                   Status: Authz Success
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
            Vlan Policy: N/A
                 ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010548A006AC
         Acct Session ID: 0x000007A4
                   Handle: 0xA1000106
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    CS01#
    CS01#
    CS01#$cation sessions interface tenGigabitEthernet 1/1/12
               Interface: TenGigabitEthernet1/1/12
             MAC Address: 28d2.4421.109c
               IP Address: 10.160.193.100
               User-Name: host/TESTPC01.sportshub.com.sg
                   Status: Authz Failed
                   Domain: DATA
         Security Policy: Should Secure
         Security Status: Unsecure
           Oper host mode: multi-auth
         Oper control dir: both
           Authorized By: Authentication Server
             Vlan Policy: N/A
         Session timeout: N/A
             Idle timeout: N/A
       Common Session ID: 0AA000010000010648A11C04
         Acct Session ID: 0x000007AD
                   Handle: 0x61000107
    Runnable methods list:
           Method   State
           dot1x   Authc Success
    ================================
    SWITCH PORT CONFIG:
    int ten1/1/9
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    authentication host-mode multi-auth
    authentication violation restrict
    dot1x timeout tx-period 10
    dot1x timeout quiet-period 20
    authentication timer reauthenticate server
    dot1x max-reauth-req 3
    Regards,
    Hammad

Maybe you are looking for