ACS Machine Authentication Fails Every 30 Days
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem
So it looks like this is the offical Microsoft answer:
Hello Tom,
I had a discussion with an escalation resource on this case and updated him on what we found so far, From what I understand this is a known issue when the client is using PEAP with computer authentication only and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
Regards
Krishna
Similar Messages
-
PEAP & ACS & machine authentication
OK, here's the issue :
Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
ACS SE 4.0 and a second ACS SE with 4.1
Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
Machine authentication not working. i.e. a user can't logon until they've previously logged on.
Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
Help, someone, help...This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
I referred to this document on MS's site:
http://www.microsoft.com/technet/network/wifi/ed80211.mspx
Plus probably the same document you were using from CCO.
I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
You don't need to use the Cisco supplicant.
HTH
Andy -
Time Machine Backup fails every time "Backup could not be completed"
I want to do a new Time Machine Backup on my iMac2007 Snow Leopard 10.6.8 fails every time with message "Backup could not be completed."
Console says "Error 11" Some Files allways can not be copied/saved by Time Machine, i search an exclude them in TM not to save them, try again, new ones po up every time.
Does anyone know a solution?One thing which may help.
I had similar issues....a few times.
Have done all the renaming (<8 characters) etc etc as detailed in these forums.
The first time, I erased TC HD and started again. This fixed things for a few days, and then the same issue came back again.
The next time, I simply copied the sparsebundle file (so I had two sparsebundles, one called xxxxxxxx.sparsebundle, and the other called xxxxxxxx copy.sparsebundle (luckily I had room on the HD to do this)). Then I deleted the original sparsebundle, and before I could rename the copy back to the original filename, the image mounted and started backing up....to the sparsebundle with " copy" still in its name.......so I left it be.
A week or so went by, and then I got the same "unable to mount" error message.
Rather than going thru the whole process again, I simply took the " copy" out of the sparesbundle filename, and all was well again.
I continue to get "unable to mount" error messages occasionally, so I simply rename the sparsebundle file (either by adding or removing " copy"), and it seems to resolve the problem, at least for a while.
While not a fix, it seems to be a workaround for me until Apple works out what the issue is, and fixes it.
Hope this helps someone.
P.S. One word of caution. I just had the thought, while writing this, that I have not actually gone into Time Machine to check that previous backups (eg, one hour ago, one week ago, original backup) are there and are able to be accessed, should the need arise. Because the back-ups appeared to be working, I assumed, and assume, they were. Won't be able to check this for a few days as I am on the road. -
New AirPort Extreme w/ Time Machine disk crashes every few days
I bought an AirPort Extreme base station about a month ago. It's currently in bridge mode, connected to my U-Verse residential gateway, and has a 1 TB hard drive attached to it that I use for Time Machine backups. The drive is formatted HFS+ and both computers that connect to the AirPort are MacBooks. Every few days, usually overnight, Time Machine will stop working, saying that it cannot connect to the backup disk. If I try to access the shared disk in FInder, it times out. The Internet connection works fine and if I go into the AirPort Utility, it shows up. But if I click on "Manual Setup," it will time out. If I try to restart the router from the menu bar option, it will time out. The only way to fix it is to manually unplug the router and restart it that way. Is anyone else having a similar issue, or know how to prevent it?
Jonathan Kleinow wrote:
I bought an AirPort Extreme base station about a month ago. It's currently in bridge mode, connected to my U-Verse residential gateway, and has a 1 TB hard drive attached to it that I use for Time Machine backups.
I hate to have to tell you this, but backing-up that way is "iffy" and +*not supported by Apple.+* See Using Time Machine with an Airport Extreme Air Disk (or use the link in *User Tips* at the top of this forum).
Every few days, usually overnight, Time Machine will stop working, saying that it cannot connect to the backup disk.
Yup, that's the sort of thing that happens sometimes in this scenario.
You might be able to improve that by, of all odd things, changing some names. See #P1 in the same place.
Another possibility is the external HD going to sleep and not waking up quickly enough. Check with the maker for firmware updates or ways to adjust it's sleep (or "spin down") performance.
But if I click on "Manual Setup," it will time out. If I try to restart the router from the menu bar option, it will time out. The only way to fix it is to manually unplug the router and restart it that way. Is anyone else having a similar issue, or know how to prevent it?
That, I suspect, is a different problem (and mostly out of my area).
But this Apple article may be helpful: http://support.apple.com/kb/ht3728
Hopefully one of the networking gurus, such as Tesserax or Bob Timmons, will have more insight. -
ISE 1.2.1 AD machine authent fails
We put ISE into bypass mode due to the 2012 R2 issue and after upgrading to 1.2.1 in ISE, and taking it out of bypass. i am seeing machines fail due to either "supplicant stopped responding" or it fails saying not found in Identity Stores. The only thing that fixes it is an auth open on the port. at first they would report the MAC as the username instead of the Machine name. Now i see them reporting the machine name correctly but with a fail message of "supplicant stopped responding". TAC has said its a local machine problem or GPO but nothing has changed on either one of those, the only change was ISE. I did as he suggested, stop/started wired auto config, no change, also downloaded some hotfixes from MS for various EAP issues, no change.
What ever info you need, let me know. i know this is a huge area to try to troubleshoot.Will need some more info:
1. What type of authentication are you performing? (EAP-PEAP, EAP-TLS, etc?)
2. Can you post screen shots with the supplicant's configuration
3. Screen shots of the failed authentication detailed screen
4. Screen shot or export of your authentication/authorization rules
5. What is the status of ISE's connection to AD? I have seen it go to joined but disconnected after upgrade
Thank you for rating helpful posts! -
Time Machine warning message every other day?
I used to use a Time Capsule to with Time Machine for my backups. However, the next 6 months I will be traveling. In order to ensure that all my data is secure, I bought an external hard drive. I'm going to use this HDD for manual backups with Time Machine. However, I'm the kind of person who will forget to do this regularly.
Now does Time Machine give a warning if you haven't made a backup in 10 days. However, I would like to change these number of days from 10 to 2, just to be sure I won't lose any data.
Is this possible?
Thanks in advance!W92 wrote:
Now does Time Machine give a warning if you haven't made a backup in 10 days. However, I would like to change these number of days from 10 to 2, just to be sure I won't lose any data.
Is this possible?
No, unfortunately. Many of us have asked for that, to no avail so far.
By all means, add your voice here: http://www.apple.com/feedback/timemachine.html -
Time Machine backup fails every time at around 40GB
Every time I try to back up my older Unibody Macbook, everything seems to go well, until it reaches about 40GB backed up, at which point it shows an error message that just says "Unable to complete the backup, an error occurred while copying files to the backup volume"
My Macbook's hard drive is almost full, I think it only has about 10GB free, could this be the cause of the problem?
Or maybe the cause is the fact that the hard drive is 3.0 even though it says its also compatible with 2.0? Should I maybe try using a hard drive thats 2.0 only?Try C3 in the 1st linked article.
Time Machine Troubleshooting
Time Machine Troubleshooting Problems -
PEAP : Machine authentication doesn't work
Hello,
I'm trying to set up machine authentication and at this time I have some problems.
I have the following configuration:
- the users laptop are running WinXP
- the AP is a 1232
- ACS 3.3.2
- external database (Win2000 Active Directory) authentication
I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
On the Active Directory I changed the Dial In config. for the computers to allow access.
Is there anything else that has to be modified in order to perform machine authentication?
Hope someone will be able to help me.
Thanks in advance.
AlexHi Alex
I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
I am spending the day to get this working and I'll post what I find out.
Regards
Colin -
I'm trying to implement Machine Authentication with PEAP in ACS 5.1. The Machine should get autenticated from AD and then user authentication. We don't want to use certificate for authentication. I only selected PEAP EAP-MS-CHAPv2 protocol in Allowed Protocol.
I can authenticate by user but not by machine. We have 2008 AD. Is there any settings or any grouping i have to do on AD side or in ACS.
If someone can give us some suggestion or documentation then it will really help us solve the problem.
Thanks for your help.The ideal solution to avoid non-domain machines is to put Machine Access Restriction on the ACS. Where in the user has to pass machine authentication and user authentication from the same machine to be allowed access to the network, else if the machine authentication fails (for iphones or non-domain machine) and only user authentication passes-- ACS will deny the user connection.
Here is the details of this feature:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213
Snip:
"ACS machine access restriction (MAR) features use AD to map machine authentication to user authentication and authorization, and sets a the maximal time allowed between machine authentication and an authentication of a user from the same machine. Most commonly, MAR fails authentication of users whose host machine does not successfully authenticate or if the time between machine and user authentication is greater than the specified aging time. You can add MAR as a condition in authentication and authorization rules as required."
Hope that helps!
Regards,
~JG
Do rate helpful posts -
802.1x PEAP Machine Authentication with MS Active Directory
802.1x PEAP Machine and User Authentication with MS Active Directory:
I have a simple pilot-text environment, with
- Microsoft XP Client,
- Cisco 2960 Switch,
- ACS Solution Engine (4.1.4)
- MS Active Directory on Win 2003 Server
The Remote Agent (at 4.1.4) is on the same server as the MS AD.
User Authentication works correctly, but Machine Authentication fails.
Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
The Remote Agent shows an error:
See Attachment.
Without Port-Security the XP workstation is able to log on to the domain.
Many thanks for any indication.
Regards,
Stephan ImhofIs host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?
-
ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD
Hello!
I don't really know, whether this issue has been asked before.
I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
User authentication works fine, because the user account also is hosted in xyz.domainname.
The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
Does anybody knows a solution for this special constellation?
Is it possible to strip or rewrite the domain suffix in any way during the authentication process?/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hello Jean,
I am guessing that you are using 802.1x wireless.
This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
Please see links below that explain this situation.
http://support.microsoft.com/kb/216393/en-us
http://support.microsoft.com/kb/904943
Hope this helps
Erdelgad
Cisco CSE -
Missing machine authentication - peap acs
Hi,
my setup is:
Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
WLC 4402 ver 4.0.179.8
Aironet 1131 LWAPP
dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
http://support.microsoft.com/kb/309448/en-us
I get these messages in the wlc log:
AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
anyone who can point me in the right direction?
Is it a windows client problem or a WLC/ACS problem?
regards rolfHi,
still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
regards rolf -
ACS 5.3, EAP-TLS Machine Authentication with Active Directory
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess" -
ISE 1.1 - 24492 Machine authentication against AD has failed
We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network. -
Authentication failed using EAP-TLS and CSSC against ACS
Hi.
Playing with a trial version of CSSC (Cisco secure services client) I had a problem that really I don´t understand.
Any 802.1x configuration work fine but when I use anything involving the use of certificates (EAP-TLS or PEAP using a certificate instead a password to autenticate) I always see the same log message in ACS:
"Authen session timed out: Challenge not provided by client" It seems that my client supplicant does not repond to the ACS when the first one proposed an EAP method.
First I discart a certificate error because the same certificate works fine with Intel Proset Wireless supplicant and Windows Zero Configuration. EAP Fast works fine using auto provisioning or manual provisioning.
Any idea? I red the CSSC administration guide but I did not find anything that explains this behaviour or defines the right configuration for this EAP method.
I´m using Windows XP SP3, Intel Wireless 4965AGN and CSSC 5.1.1.18; My CA is a Windows CA.ACS version 4.2
Thanks in advanced.
Best regards.Today is not mmy day.
It´s still failing and maybe I will open a TAC case.
I´m looking at the log file of the CSSC and I don´t like what I have seen.
2125: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=344][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP suggested by server: leap
2126: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=2044][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP requested by client: eapTls
2127: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP methods sent : sync=8
2128: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=8
2129: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED
2130: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_SERVER_VERIFY, sync=9
2131: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2132: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=9
2133: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Server verification sent : sync=9
2134: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=9
2135: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_USER_CERT, sync=10
2136: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2137: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=10
2138: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Impersonating user
2139: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Loading client certificate private key...
2140: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Calling acCertLoadPrivateKey()...
2141: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: ...acCertLoadPrivateKey() returned
2142: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 204, contact software manufacturer
2143: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: acCertLoadPrivateKey() error -20 [c:\acebuild\bldrobot_cssc_5.1.1.21_view\monadnock\src\ace\certificate\certificateimpl.cpp:239]
2144: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 4, contact software manufacturer
2145: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: CssException for function 'acCertLoadPrivateKey' => -20{error} [certificateimpl.cpp:240]
2146: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 7, contact software manufacturer
2147: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Assertion 'CSS exception - should this be logged instead?' failed at [cssexception.cpp:114]
2148: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Client certificate private key has not been loaded
2149: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Deimpersonating user
2150: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Client certificate 239f43fdcde8e190540fab2416253c5660c0d959 has been processed: ERR_INTERNAL_ERROR(7)
2151: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Certificate 239f43fdcde8e190540fab2416253c5660c0d959 is unusable
2152: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, no response sent : sync=10
2153: portable-9b7161: oct 28 2010 20:34:30.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2154: portable-9b7161: oct 28 2010 20:34:32.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2155: portable-9b7161: oct 28 2010 20:34:34.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
It seems that It found a valid certificate, starts the Authentication proccess and when it must request the ACS challenge it fails when loading the private key and crash the supplicant
Do you think the same??
Thanks.
Best Regards.
Maybe you are looking for
-
how can I delete my previous iCloud email address. It is no longer in use. I have created new Apple id. And it is verified but I cannot merge it with iCloud Since it is asking me to type password.
-
HT4623 How to update an iPhone with iOS 4
I have already got an iPhone 4 that has been recently updated but I have now got my sisters old iPhone 4 as I smashed mine and she has never updated it how do you update it from iOS 4? Thanks
-
hi alll i have dialog when i put it setModel(true) I have many problems 1) i am calling a method in the parent class from dialog but this method not work ( iawant to stop the count of progressbar 2)i have panel i put it visible(false) but dont work .
-
Photoshop CC layer title length work around for generator?
Hi I am using generator to export assets at a number of different sizes. I have found that there is a pretty small character limit on the layer title field which means I cannot export all the assets I need from that layer. I have to duplicate the lay
-
IPad can't connect MacBook OS X 10.4.11?
I just got my iPad today but cannot set it up because my MacBook OS X version is 10.4.11 and iPad requires 10.5 or later. I don't have PC to download iTunes. What can I do? Pls helppppppppppp