ACS 5.2 Machine Authentication and AD user

Similar Messages

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• Machine authentication and MAR not working.

  Hi, I'm using ACS 4.1.23 with MS AD for authentication in a wireless network environment. Users connect to one of the (Suppliers and Employees) SSID's and based on group authorization in AD are allowed to access. The SSID to the Employees network has an additional policy: only registered hosts in AD are allowed. For authentication is the standard MS supplicant used with PEAP-MSCHAPV2 configured.
  According to the Cisco documentation ACS supports Machine Authentication and in combination with MAR, authenticated hosts required before user authentication, is possible.
  BUT, it doesn't work. I do see successful host and user authentication, but the MAR policy doesn't kick in when a user authenticates without host authentication. I was able to turn debug logging for the CSAuth service, giving me the extra information in the AUTH.log.
  I have no clue what is missing or how to troubleshoot from this point on.
  Has anyone got this setup working or help me a step further ?

  Found it !
  Within the MAR configuration, the "host/" definition is required for ACS to identify hosts.
  ACS has the worst GUI of all software I know of ... :-(

• ACS 4.1 machine authentication problem

  Hi,
  I'm using the Cisco NAC framework in order to authenticate both users and machines before granting network access. i'm using windows AD to authenticate users and machines.
  Under "External User Databases" -> Windows Authentication Configuration, you can configure some machine authentication settings.
  I have to enable "Enable Machine Access Restriction" in combination with the group map "no access". Otherwise, even though machine authentication has failed, an authorized user can still login with an unauthorized machine (it will only appear in the failed attempts log but it will not be restricted).
  This works, but the problem is the "aging time". The ACS caches the machines for a certain amount of time (12 hours by default). Now if a user logs off and he waits 12 hours to logg back on, authentication will fail (because machine authentication is already performed just after being logged off).
  Is it possible to force machine authentication (together with the user authentication) at Windows log on?
  Kind regards

  ACS 4.1 machine authentication can work on windows. This issue occurs in an environment where there is more than one global catalog server for the domain. Restart CSAuth.exe service, and then try to authenticate again (with Machine credentials)

• ACS + Wired dot1x machine authentication

  Hi,
  I am trying to setup wired machine based authentication. I have followed this guide
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req
  However I simply get the same error all the time on ACS.
  Invalid message authenticator in EAP request
  Switch config;
  interface GigabitEthernet0/46
  switchport access vlan 20
  switchport mode access
  media-type rj45
  dot1x pae authenticator
  dot1x port-control auto
  dot1x reauthentication
  dot1x guest-vlan 20
  i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.
  Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.
  Purely using machine auth.
  Cheers
  Scott

  Hi Guys,
  The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??
  Thanks for your help.
  Scott

• ACS 4.1 to differentiate and restrict users

  Hello all,
  I've bee wrestling with this issue off and on for some time, but have had limited success. There is something I don't quite understand just yet. I hope someone here can help.
  I want to set up AAA on ACS 4.1 for authenticating login sessions to my swtiches, ASA and access points. That part is easy, and it even works, but here's what I 'm having trouble with:
  Our ACS server points to our Windows 2003 AD database. If I set up my switches with AAA, anyone in the AD database can login to the switch. I only need about 5 people to have admin access to my switches, not the 4000 others.
  Also, I need to administer my access points. I am also a wireless user. Betty Sue in accounting is a wireless user, but has no need to administer the access point to which she associates. Same thing goes with our ASA and remote access VPN connections. How do I identify how a user connects to the device and set restrictions based on this?
  To put it another way:
  User A is Admin, wireless user, VPN user. Needs full access to all these devices. This part is easy.
  User B is accountant (or whatever), wireless user, VPN user. Should not have any access to administer the switch, AP, or ASA they are connecting to.
  I hope that makes sense. I've been through the NAP documents. I think the solution is there, but I'm not bright enough or brave enough to figure it out, at least not on a live network:)
  Thanks for any help.
  Scott

  All,
  I'm just now getting back to this. ACS is upgraded and the NAP is configured and almost working as I need it to be, with a big exception. Maybe someone can help?
  When I use telnet to login to a device, I am asked for "Username". With a sniffer, I can see that the AV Pair used to identify VTY connections is being sent with the proper value, and the user I want to be denied is denied. Subsequent requests to login are all asking for "Username", and all send the correct AV Pair, and all are rejected. Nice.
  Here's the issue. When I use SSH lo login to the same device, with the same credentials, I am asked to "Login as". The first time, the AV Pair I need is sent and the user is denied. When I am asked again, I'm not asked for user name or to "login as" again, I'm only asked for the password. If I enter the correct password, the user, any user, is allowed. Not good. With the sniffer, I see that the AV Pair is only sent with the first attempt, subsequent attempts don't send the AV Pair in question, so ACS can't act on this information, and so the user who should be denied, is not.
  Any ideas for how to get around this? Can SSH be setup to present the username to the login session every time? Is there a way to force the sending of this AV Pair every time? Can I set up something to say that any user has only one attempt to login?
  The AV Pair in question is [061]NAS-Port-Type=5
  Thanks for any help

• NTS Authentication and External Users

  Hi,
  I am looking for advice on the following issue:
  Oracle:9.2.0.6
  OS:Windows 2000
  This is a data warehouse and the data is loaded by batch scripts. To ensure that the batch scripts haven't got usernames and passwords hard coded then we used externally identified users. However to get this to work the parameter Autentication_Services has to be set to NTS. Therefore anyone who is in the ORA_DBA group can log into the database without a password, also anyone who is an administrator of the machine could potentially add themselves to the ORA_DBA group and then log into the database without a password.
  Is there any way to use external autentication but then also force sysdba connections to specify a password?
  Is it possible to just remove the ORA_DBA group without any impact?
  Any clarification then please let me know
  Thanks for your time and help
  Regards
  Seb

  More details (architecture etc) would be needed to suggest any kind of solution.
  Also content served is static or dynamic ? If content is dynamic then backend component (app) would expect identity to be propagated to it. This could be potential issue if internal user wont authenticate.
  If it is static content then you can make use of rewrite rules / rewrite conditions to filter ip address (internal users should have some ip address range). Although you may have to do multiple url rewrite at apache level to by pass authentication.
  One another solution is to implement zero sign on experience via WNA for internal users. WNA would take advantage of user's login to desktop. Hope this helps.

• Claims Based Authentication and Editing User Profiles

  Hi All,
  I have an interesting issue where I have a SharePoint Farm setup with both the intranet and mysites web applications setup using Claims Based Authentication. While everything seems to work fine, you are able to search for users, view properties and users
  can change their own profile properties. However when you configure a profile administration account (an account with the "manage user profiles" permission on the User Profile Service Application) and you attempt to use that account to edit
  another users profile you get hit with a generic error page. 
  Delving deeper you get the following errors:
  ULS:
  Date    Process    Thread Id    Area    Category    Event Id    Level    Correlation    Message
  5/7/2013 00:31:44:64    App Pool: MySites    0x1DC8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
   Name=Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)
  5/7/2013 00:31:44:66    App Pool: MySites    0x1DC8    SharePoint Foundation    Authentication Authorization    agb9s    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
   Non-OAuth request. IsAuthenticated=True, UserIdentityName=0#.w|DOMAIN\sp_config, ClaimsCount=24
  5/7/2013 00:31:44:66    App Pool: MySites    0x1DC8    SharePoint Foundation    Logging Correlation Data    xmnv    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
   Site=/
  5/7/2013 00:31:44:69    App Pool: MySites    0x1DC8    SharePoint Foundation    Files    00000    High    4001199c-6bd8-c03d-920f-55177fbff00c  
   UserAgent not available, file operations may not be optimized.
  at Microsoft.SharePoint.SPFileStreamManager.CreateCobaltStreamContainer(SPFileStreamStore spfs, ILockBytes ilb, Boolean copyOnFirstWrite, Boolean disposeIlb)  
  at Microsoft.SharePoint.SPFileStreamManager.SetInputLockBytes(SPFileInfo& fileInfo, SqlSession session, PrefetchResult prefetchResult)  
  at Microsoft.SharePoint.CoordinatedStreamBuffer.SPCoordinatedStreamBufferFactory.CreateFromDocumentRowset(Guid databaseId, SqlSession session, SPFileStreamManager spfstm, Object[] metadataRow, SPRowset contentRowset, SPDocumentBindRequest& dbreq, SPDocumentBindResults&
  dbres)  
  at Microsoft.SharePoint.SPSqlClient.GetDocumentContentRow(Int32 rowOrd, Object ospFileStmMgr, SPDocumentBindRequest& dbreq, SPDocumentBindResults& dbres)  
  at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
  Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
  pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
  pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
  Guid& pgDocScopeId)  
  at Microsoft.SharePoint.Library.SPRequestInternalClass.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages,
  Boolean& pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String&
  pbstrTimeLastModified, String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64&
  pllListFlags, Boolean& pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder,
  Guid& pgDocScopeId)  
  at Microsoft.SharePoint.Library.SPRequest.GetFileAndMetaInfo(String bstrUrl, Byte bPageView, Byte bPageMode, Byte bGetBuildDependencySet, String bstrCurrentFolderUrl, Int32 iRequestVersion, Byte bMainFileRequest, Boolean& pbCanCustomizePages, Boolean&
  pbCanPersonalizeWebParts, Boolean& pbCanAddDeleteWebParts, Boolean& pbGhostedDocument, Boolean& pbDefaultToPersonal, Boolean& pbIsWebWelcomePage, String& pbstrSiteRoot, Guid& pgSiteId, UInt32& pdwVersion, String& pbstrTimeLastModified,
  String& pbstrContent, UInt32& pdwPartCount, Object& pvarMetaData, Object& pvarMultipleMeetingDoclibRootFolders, String& pbstrRedirectUrl, Boolean& pbObjectIsList, Guid& pgListId, UInt32& pdwItemId, Int64& pllListFlags, Boolean&
  pbAccessDenied, Guid& pgDocid, Byte& piLevel, UInt64& ppermMask, Object& pvarBuildDependencySet, UInt32& pdwNumBuildDependencies, Object& pvarBuildDependencies, String& pbstrFolderUrl, String& pbstrContentTypeOrder, Guid&
  pgDocScopeId)  
  at Microsoft.SharePoint.SPWeb.GetWebPartPageContent(Uri pageUrl, Int32 pageVersion, PageView requestedView, HttpContext context, Boolean forRender, Boolean includeHidden, Boolean mainFileRequest, Boolean fetchDependencyInformation, Boolean& ghostedPage,
  String& siteRoot, Guid& siteId, Int64& bytes, Guid& docId, UInt32& docVersion, String& timeLastModified, Byte& level, Object& buildDependencySetData, UInt32& dependencyCount, Object& buildDependencies, SPWebPartCollectionInitialState&
  initialState, Object& oMultipleMeetingDoclibRootFolders, String& redirectUrl, Boolean& ObjectIsList, Guid& listId)  
  at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.FetchWebPartPageInformationForInit(HttpContext context, SPWeb spweb, Boolean mainFileRequest, String path, Boolean impersonate, Boolean& isAppWeb, Boolean& fGhostedPage, Guid& docId,
  UInt32& docVersion, String& timeLastModified, SPFileLevel& spLevel, String& masterPageUrl, String& customMasterPageUrl, String& webUrl, String& siteUrl, Guid& siteId, Object& buildDependencySetData, SPWebPartCollectionInitialState&
  initialState, String& siteRoot, String& redirectUrl, Object& oMultipleMeetingDoclibRootFolders, Boolean& objectIsList, Guid& listId, Int64& bytes)  
  at Microsoft.SharePoint.ApplicationRuntime.SPRequestModuleData.GetWebPartPageData(HttpContext context, String path, Boolean throwIfFileNotFound)  
  at Microsoft.SharePoint.ApplicationRuntime.SPVirtualPathProvider.GetCacheKey(String virtualPath)  
  at System.Web.Compilation.BuildManager.GetVPathBuildResultFromCacheInternal(VirtualPath virtualPath, Boolean ensureIsUpToDate)  
  at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)  
  at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate)  
  at System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate)  
  at System.Web.UI.MasterPage.CreateMaster(TemplateControl owner, HttpContext context, VirtualPath masterPageFile, IDictionary contentTemplateCollection)  
  at System.Web.UI.Page.ApplyMasterPage()  
  at System.Web.UI.Page.PerformPreInit()  
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
  at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
  at System.Web.UI.Page.ProcessRequest()  
  at System.Web.UI.Page.ProcessRequest(HttpContext context)  
  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  
  at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)  
  at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)  
  at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)  
  at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
  at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
  at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)  
  at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)  
  at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)  
  at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
  5/7/2013 00:31:44:69    App Pool: MySites    0x1DC8    SharePoint Foundation    Files    aiv4w    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
   Spent 0 ms to bind 33542 byte file stream
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ai7z6    High    4001199c-6bd8-c03d-920f-55177fbff00c  
   User was not successfully retrieved: i:0#.w|DOMAIN\AUSER in ProfileUI.OnInit. Seeing if this is a system account
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ai7z7    High    4001199c-6bd8-c03d-920f-55177fbff00c  
   User i:0#.w|DOMAIN\AUSER not found and not a system account.
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ahn7m    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
   ProfileUI: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
  at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Portal Server    User Profiles    ahn7h    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
   ProfileEditor: Unhandled exception inside OnInit: Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
  at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
  at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    8nca    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
   Application error when access /_layouts/15/EditProfile.aspx, Error=DOMAIN\AUSER
  at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
  at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    Runtime    tkau    Unexpected    4001199c-6bd8-c03d-920f-55177fbff00c  
   Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER
  at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
  at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    ajlz0    High    4001199c-6bd8-c03d-920f-55177fbff00c  
   Getting Error Message for Exception System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER  
  at Microsoft.SharePoint.Portal.WebControls.ProfileUI.OnInit(EventArgs e)  
  at Microsoft.SharePoint.Portal.WebControls.ProfileEditor.OnInit(EventArgs e)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Control.InitRecursive(Control namingContainer)  
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
  at System.Web.UI.Page.HandleError(Exception e)  
  at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
  at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)  
  at System.Web.UI.Page.ProcessRequest()  
  at System.Web.UI.Page.ProcessRequest(HttpContext context)  
  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()  
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  5/7/2013 00:31:44:72    App Pool: MySites    0x1DC8    SharePoint Foundation    General    aat87    Monitorable    4001199c-6bd8-c03d-920f-55177fbff00c  
  5/7/2013 00:31:44:73    App Pool: MySites    0x1DC8    SharePoint Foundation    Monitoring    b4ly    Medium    4001199c-6bd8-c03d-920f-55177fbff00c  
   Leaving Monitored Scope (Request (GET:http://mysite.DOMAIN.loc:80/_layouts/15/EditProfile.aspx?UserSettingsProvider=234bf0ed%2D70db%2D4158%2Da332%2D4dfd683b4148&ReturnUrl=http%3A%2F%2Fmysite%2EDOMAIN%2Eloc%2Fperson%2Easpx%3Faccountname%3DDOMAIN%255CAUSER&accountname=DOMAIN%5CAUSER)).
  Execution Time=87.1739285300227
  It seems similar to an issue in the blog post here: http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013/ however I tried what was suggested and it didn't work.
  Any help with this is appriciated.

  This line offers clues about the actual problem:
  Microsoft.Office.Server.UserProfiles.UserNotFoundException: DOMAIN\AUSER 
  According to the MSDN link (http://msdn.microsoft.com/en-us/library/microsoft.office.server.userprofiles.usernotfoundexception.aspx)
  it is not able to find the user in the profile store. Additionally the link you mentioned (http://kb4sp.wordpress.com/2012/12/05/user-cannot-be-found-shenanigans-one-way-active-directory-trusts-and-sharepoint-2013)
  suggests that the account being used to validate accounts on the production domain may have a problem.
  If there a way you can test that account in isolation against the DC?
  With Regards Shailen Sukul Entrepreneur/Software Architect/Developer/Consultant/Trainer (BSc | Mct | Mcpd (.Net 2/3.5/SharePoint2010) | Mcts (Sharepoint 2010/MOSS/WSS), Biztalk, Web, Win, Dist Apps) | Mcitp(SharePoint) | Mcsd.NET | Mcsd | Mcad) MSN | Skype
  | GTalk Id: shailensukul Twitter: http://twitter.com/shailensukul Website: http://sukul.org Blog: http://shailen.sukul.org/ http://www.linkedin.com/in/shailensukul

• Machine Authentication with PEAP on Wireless with ISE1.2

  Hi All,
  We are facing issues while doing machine authentication in ISE1.2 with wireless PEAP authentication. Without machine authentication normal PEAP works very fine but as soon as we enable machine authentication and create policy for machine authentication and in user authentication policy we put condition "was machine authenticated" then it works for some machine properly but does not work for other machines. Its totally random behaviour sometime it stopped working for machines which were authenticated before.
  I just want to know if I m missing some configuration or its a bug in ISE. Can some body share step by step configuration for machine authentication with PEAP.
  Really It would be a great help.
  Thanks
  Ninja

  Did you Apply service pactch 4?
  Sent from Cisco Technical Support iPhone App

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• Anyconnect 802.1x - "switch user" is blocked in machine authentication

  hi all,
  I know this is not a bug its a feature
  that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
  however
  I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
  Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
  for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
  or maybe there is already some trick/configuration step that I missed and it can be done?
  regards
  Przemek

  hi all,
  I know this is not a bug its a feature
  that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
  however
  I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
  Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
  for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
  or maybe there is already some trick/configuration step that I missed and it can be done?
  regards
  Przemek

• Missing machine authentication - peap acs

  Hi,
  my setup is:
  Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
  WLC 4402 ver 4.0.179.8
  Aironet 1131 LWAPP
  dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
  I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
  http://support.microsoft.com/kb/309448/en-us
  I get these messages in the wlc log:
  AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  anyone who can point me in the right direction?
  Is it a windows client problem or a WLC/ACS problem?
  regards rolf

  Hi,
  still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
  AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
  My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
  regards rolf

• Machine authentication in Aironet

  i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
  i'm using EAP in AP
  and PEAP with certificates in NPS
  i'm forcing laptops to use "computer authentication" through a GPO
  certificates already deployed to All machines
  policy is configured in NPS with "machine group" condition
  the problem i'm facing that their is some laptops are authenticated successfully while the others are not
  all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
  here is what i saw in AP after enabling debug radius authentication
  the working machines
  *Mar  4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
  *Mar  4 20:25:34.125: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
  *Mar  4 20:25:34.126: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
  *Mar  4 20:25:34.126: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
  *Mar  4 20:25:34.126: RADIUS:   32                                               [2]
  *Mar  4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
  *Mar  4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
  *Mar  4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
  *Mar  4 20:25:34.126: RADIUS(00000009): sending
  *Mar  4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
  *Mar  4 20:25:34.127: RADIUS:  authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
  *Mar  4 20:25:34.127: RADIUS:  User-Name           [1]   23  "host/FADI-LT.domain.com"
  *Mar  4 20:25:34.127: RADIUS:  Framed-MTU          [12]  6   1400               
  *Mar  4 20:25:34.128: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
  *Mar  4 20:25:34.128: RADIUS:  Calling-Station-Id  [31]  16  "0811.9699.ba30"
  *Mar  4 20:25:34.128: RADIUS:  Service-Type        [6]   6   Login                     [1]
  *Mar  4 20:25:34.128: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:25:34.128: RADIUS:   1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9  [?E?Z]???s?????b?]
  *Mar  4 20:25:34.128: RADIUS:  EAP-Message         [79]  28
  *Mar  4 20:25:34.128: RADIUS:   02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C  [?????host/FADI-L]
  *Mar  4 20:25:34.129: RADIUS:   54 2E 61 64 61 73 69 2E 61 65                    [T.domain.com]
  *Mar  4 20:25:34.129: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  *Mar  4 20:25:34.129: RADIUS:  NAS-Port            [5]   6   263                
  *Mar  4 20:25:34.129: RADIUS:  NAS-Port-Id         [87]  5   "263"
  *Mar  4 20:25:34.129: RADIUS:  NAS-IP-Address      [4]   6   10.10.64.229       
  *Mar  4 20:25:34.129: RADIUS:  Nas-Identifier      [32]  4   "AP"
  *Mar  4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
  *Mar  4 20:25:34.167: RADIUS:  authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
  *Mar  4 20:25:34.167: RADIUS:  Session-Timeout     [27]  6   30                 
  *Mar  4 20:25:34.167: RADIUS:  EAP-Message         [79]  8
  *Mar  4 20:25:34.167: RADIUS:   01 03 00 06 0D 20                                [????? ]
  *Mar  4 20:25:34.167: RADIUS:  State               [24]  38
  the non working machines
  *Mar  4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
  *Mar  4 20:26:18.949: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
  *Mar  4 20:26:18.949: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
  *Mar  4 20:26:18.949: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
  *Mar  4 20:26:18.949: RADIUS:   32                                               [2]
  *Mar  4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
  *Mar  4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
  *Mar  4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
  *Mar  4 20:26:18.950: RADIUS(0000000A): sending
  *Mar  4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
  *Mar  4 20:26:18.951: RADIUS:  authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
  *Mar  4 20:26:18.951: RADIUS:  User-Name           [1]   18  "domain\username"
  *Mar  4 20:26:18.951: RADIUS:  Framed-MTU          [12]  6   1400               
  *Mar  4 20:26:18.951: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
  *Mar  4 20:26:18.951: RADIUS:  Calling-Station-Id  [31]  16  "0022.faf1.9258"
  *Mar  4 20:26:18.951: RADIUS:  Service-Type        [6]   6   Login                     [1]
  *Mar  4 20:26:18.951: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.951: RADIUS:   06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA  [??U?mE???ss,??(?]
  *Mar  4 20:26:18.952: RADIUS:  EAP-Message         [79]  23
  *Mar  4 20:26:18.952: RADIUS:   02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E  [?????domain\user]
  *Mar  4 20:26:18.952: RADIUS:   61 64 6D 69 6E                                   [name]
  *Mar  4 20:26:18.952: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  *Mar  4 20:26:18.952: RADIUS:  NAS-Port            [5]   6   264                
  *Mar  4 20:26:18.952: RADIUS:  NAS-Port-Id         [87]  5   "264"
  *Mar  4 20:26:18.952: RADIUS:  NAS-IP-Address      [4]   6   X.Y.64.229       
  *Mar  4 20:26:18.953: RADIUS:  Nas-Identifier      [32]  4   "AP"
  *Mar  4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
  *Mar  4 20:26:18.980: RADIUS:  authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
  *Mar  4 20:26:18.981: RADIUS:  Session-Timeout     [27]  6   30                 
  *Mar  4 20:26:18.981: RADIUS:  EAP-Message         [79]  8
  *Mar  4 20:26:18.981: RADIUS:   01 03 00 06 0D 20                                [????? ]
  *Mar  4 20:26:18.981: RADIUS:  State               [24]  38
  *Mar  4 20:26:18.981: RADIUS:   15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E  [???????7??????@?]
  *Mar  4 20:26:18.982: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08  [????????????????]
  *Mar  4 20:26:18.982: RADIUS:   55 9E B9 77                                      [U??w]
  *Mar  4 20:26:18.982: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.982: RADIUS:   1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47  [?????F?????&0IcG]
  *Mar  4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
  *Mar  4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
  *Mar  4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
  *Mar  4 20:26:18.986: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
  *Mar  4 20:26:18.986: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
  *Mar  4 20:26:18.987: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
  *Mar  4 20:26:18.987: RADIUS:   32                                               [2]
  *Mar  4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
  *Mar  4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
  *Mar  4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
  *Mar  4 20:26:18.987: RADIUS(0000000A): sending
  *Mar  4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
  *Mar  4 20:26:18.988: RADIUS:  authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
  *Mar  4 20:26:18.988: RADIUS:  User-Name           [1]   18  "domain\username"
  *Mar  4 20:26:18.988: RADIUS:  Framed-MTU          [12]  6   1400               
  *Mar  4 20:26:18.988: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
  *Mar  4 20:26:18.988: RADIUS:  Calling-Station-Id  [31]  16  "0022.faf1.9258"
  *Mar  4 20:26:18.988: RADIUS:  Service-Type        [6]   6   Login                     [1]
  *Mar  4 20:26:18.988: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.989: RADIUS:   3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F  [=???n??+Q??????_]
  *Mar  4 20:26:18.989: RADIUS:  EAP-Message         [79]  8
  *Mar  4 20:26:18.989: RADIUS:   02 03 00 06 03 19                                [??????]
  *Mar  4 20:26:18.989: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
  *Mar  4 20:26:18.989: RADIUS:  NAS-Port            [5]   6   264                
  *Mar  4 20:26:18.989: RADIUS:  NAS-Port-Id         [87]  5   "264"
  *Mar  4 20:26:18.989: RADIUS:  State               [24]  38
  *Mar  4 20:26:18.990: RADIUS:   15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E  [???????7??????@?]
  *Mar  4 20:26:18.990: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08  [????????????????]
  *Mar  4 20:26:18.990: RADIUS:   55 9E B9 77                                      [U??w]
  *Mar  4 20:26:18.990: RADIUS:  NAS-IP-Address      [4]   6   X.Y.64.229       
  *Mar  4 20:26:18.990: RADIUS:  Nas-Identifier      [32]  4   "AP"
  *Mar  4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
  *Mar  4 20:26:18.992: RADIUS:  authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
  *Mar  4 20:26:18.992: RADIUS:  EAP-Message         [79]  6
  *Mar  4 20:26:18.993: RADIUS:   04 03 00 04                                      [????]
  *Mar  4 20:26:18.993: RADIUS:  Message-Authenticato[80]  18
  *Mar  4 20:26:18.993: RADIUS:   FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9  [?!t???????:5E???]
  *Mar  4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
  *Mar  4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  *Mar  4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
  obviously the machine who send machine name (host\machinename) will be authenticated successfully
  and machines who send username (domain\username) will not be authenticated successfully
  now
  i tested those unsuccessful machines in a wired  dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
  i suspected that this is maybe because of the AP config
  here it is
  Current configuration : 2662 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP
  enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
  aaa new-model
  aaa group server radius rad_eap
   server X.Y.64.30 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  ip domain name domain
  dot11 ssid corporate
     vlan 64
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa version 2
     mbssid guest-mode
  dot11 network-map
  power inline negotiation prestandard source
  username Cisco password 7 13261E010803
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   encryption vlan 64 mode ciphers aes-ccm
   ssid corporate
   mbssid
   station-role root
  interface Dot11Radio0.64
   encapsulation dot1Q 64 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface FastEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
  interface FastEthernet0.64
   encapsulation dot1Q 64 native
   no ip route-cache
   bridge-group 1
   no bridge-group 1 source-learning
   bridge-group 1 spanning-disabled
  interface BVI1
   ip address X.Y.64.229 255.255.255.0
   no ip route-cache
  ip default-gateway X.Y.64.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  snmp-server community cable RO
  snmp-server enable traps tty
  radius-server attribute 32 include-in-access-req format %h
  radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 5 15
  end

  Hi,
  You will need o be more specific so we can help you.
  What exactly is happening/not working?
  Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
  Is your PC doing machine authentication?
  HTH,
  Tiag
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Machine Authentication

  Currently my clients (XP/SP2/latest MS hotfix) are logging onto the wireless network using WPA/TKIP/PEAP. They are configured for both machine authentication (needed to download correct profile from server) and user authentication. I notice that for each logon there are multiple machine authentications showing up in the ACS (anywhere from 3 - 15) This varies and is random. Anyone know why I am seeing this many machine authentications and if there is something I can do to eliminate them? My clients are not consistently logging onto the network and I am thinking this may have something to do with it. I do not see any errors on AP or ACS when clients fail.

  So you only ever see one machine authentication.
  Do you use the windows wireless client software for client configuration? I do.
  WPA
  TKIP
  PEAP
  Check authenticate as computer when info is available
  Have acs server and certificate authority entered
  Enable fast reconnect (client and server)
  Automatically use windows login information.
  I have the autologon setup so once the client boots up the information is passed to the wireless client to the radius server.
  How is the SSID configured on the AP?
  I have the TKIP cipher selected for encryption
  I have OPEN with EAP, NETWORK EAP selected
  I select KEY Exchange mandatory, CCKM and WPA.
  Any information on your particular setup would be appreciated.

• CSSC with machine authentication in Ms AD

  I need to set the CSSC able to run a machine authetication. My need is to be able to run scripts logon to AD.
  In NEtwork Connection Type i select the machine and user connection option, machine and user auth Method EAP-PEAP and machine identity default, machine credential "use machine credential".
  Event on IAS is:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 3/19/2008
  Time: 11:49:37 AM
  User: N / A
  Computers: xxxx
  Description:
  User host / anonymous was denied access.
  Fully-Qualified-User-Name = MYDOMAIN \ host / anonymous
  NAS-IP-Address = x.x.x.x
  NAS-Identifier = WLC_AP
  Called-Station-Identifier =
  Calling-Station-Identifier =
  Client-Friendly-Name = wlc_ap
  Client-IP-Address = x.x.x.x
  NAS-Port-Type = 19
  NAS-Port = 1
  Policy-Name = <undetermined>
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 8
  Reason = The specified user does not exist.
  The CSSC put MYDOMAIN (correct) and \host / anonymous (not correct) WHY?
  How can I configure the CSSC part of the machine and user credentials credentials ?
  Thanks.
  Mirko Severi

  Hi,
  You will need o be more specific so we can help you.
  What exactly is happening/not working?
  Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
  Is your PC doing machine authentication?
  HTH,
  Tiag
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.