Cisco ACS 5.1 Machine Auth Problem

Hi All,
I have a query regarding ACS 5.1 using EAP-PEAP (machine auth plus user name and password). I have successfully setup AD authentication using Machine auth and user credentials and this works ok for corporate wireless devices and users.
My ACS rules are machine auth against AD computers which gives a positive/pass, then a rule against user but ensuring the device is a valid domain device with "was machine authenticated = TRUE".
The problem is when using a Windows 7 device (laptop) and logging in using the local admin account I successfully connect to the network but the local Admin account is not in AD. By default the W7 wireless adapter under security>advanced settings> specify authentication mode is computer authentication only.The W7 client doesn't send over any user credentials?
Has anyone come across this problem before? Do I need to tweek the W7 clients via GP or is there a way of stopping just machine authentication with out a valid user name and password?
Realy appreciate any responses and thank you in advance. 
Jason

check out
http://technet.microsoft.com/en-us/library/dd759219.aspx

Similar Messages

  • ACS 4.1 machine authentication problem

    Hi,
    I'm using the Cisco NAC framework in order to authenticate both users and machines before granting network access. i'm using windows AD to authenticate users and machines.
    Under "External User Databases" -> Windows Authentication Configuration, you can configure some machine authentication settings.
    I have to enable "Enable Machine Access Restriction" in combination with the group map "no access". Otherwise, even though machine authentication has failed, an authorized user can still login with an unauthorized machine (it will only appear in the failed attempts log but it will not be restricted).
    This works, but the problem is the "aging time". The ACS caches the machines for a certain amount of time (12 hours by default). Now if a user logs off and he waits 12 hours to logg back on, authentication will fail (because machine authentication is already performed just after being logged off).
    Is it possible to force machine authentication (together with the user authentication) at Windows log on?
    Kind regards

    ACS 4.1 machine authentication can work on windows. This issue occurs in an environment where there is more than one global catalog server for the domain. Restart CSAuth.exe service, and then try to authenticate again (with Machine credentials)

  • Cisco ACS 4.2(1) Certificate problem

    Hi guys,
    I am trying to upgrade the OS from w2k3 to w2k8 STD 32bits.
    I am using Cisco ACS v. 4.2.(1) path level 15 on this OS.
    When i try to activate de EAP-MSCHAPv2 after creating certificates (self sign or using external CA), the follwing problem is registered in windows APP log:
    Faulting application CSAuth.exe, version 0.0.0.0, time stamp 0x4e845055, faulting module CRYPT32.dll, version 6.0.6002.18005, time stamp 0x49e03824, exception code 0xc0000005, fault offset 0x00039f0e, process id 0x10e4, application start time 0x01cca543d1586766.
    What could be the problem here? the version of that DLL is different from w2k3 but ACS 4.2(1) release notes are clear when using w2k8 32Bits with no problems.
    best regards,
    NC

    Anyone?
    I think this maybe some Bug but i am not so sure about that.
    regards,
    NC

  • Cisco ACS 4.2.1 authentication problem

    We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

    Hi there,
    There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
    Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
    Let me know if this helps.

  • Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

    Dear all,
    Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
    Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
    Best regards,
    Piotr

    If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
    I am sorry if I am not able to help but I am not using the anyconnect for production.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Cisco ACS 5.4 problem

    Hello
    Did anyone experience problem with Service Selection Rules in Cisco ACS. When I click this tab ( it only works for me in google Chrome), configuration is normally opened. But when I want to edit one of two default rules (rules that match radius and tacacs) nothing happens. If I want to add new rule, popup window in normally opened but I am not able to add any conditions or results. It is just nothing to choose from. I have some attributtues under "customize window". It looks like some gui problems.
    I am using
    acs/admin# sh application version acs
    Cisco ACS VERSION INFORMATION
    Version : 5.4.0.46.0a
    Internal Build ID : B.221
    with trial license. I am running ACS on vmware player  (1 GB of RAM and 1 proc).
    Thanks in advance
    General
    Name:
       Status:
    Enabled Disabled Monitor Only 
    The Customize button in the lower right area of the policy rules screen controls which policy conditions and results are available here for use in policy rules.
    Conditions
    Results

    When dealing with Cisco ACS and Cisco ISE you have to be very careful with your web browsers. For example there's a major bug when using Cisco ISE 1.1.x and Chrome.
    Back to ACS, please refer to the release notes to see the validated web browsers.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp222016
    I have used ACS and ISE a lot, and we had many problems when using Internet Explorer and Chrome. That's why I prefer Firefox, but even with firefox we had little problems once in a while.
    Please rate if this helps

  • Cisco ACS 5.1 802.1x auth fails on LAN when WLAN connected

    I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. 
    A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution
    This is an intermittent fault and only effects users with both LAN and WLAN enabled.
    Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.
    Certificates are issues by group policy and only using computer authentication.
    any help would be greatly appreciated
    Thanks

    After a long TAC case with Cisco we discovered that the Mitel phone was not sending the EAPoL-Logoff packet so the switch still thought that the device off the back of the phone was connected.
    There are no EAPoL-Logoff messages seen on switch when laptop is disconnected/port is shut down.
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp386903
    This feature is supported by most IP phones -  I do not know if Mitel phones support that but we cannot see this message in the debugs you sent.
    As a workaround we can configure inactivity timer (by default it is infinity):
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11888691
    This did resolve all our issues,
    Aaron

  • WAP4410N WPA2 Enterprise Mixed authentication problem against Cisco ACS 4.2

    We have 3 x WAP4410N at new office setup in Singapore.
    Customer asked us to setup those 3 AP to make client auth against an ACS 4.2 sitting in US office.
    All the user notebooks were joined to Windows domain in US office, before sent out to Singapore office.
    We configured APs with WPA2 Enterprise Mixed mode and entered radius server address and secrects correctly.
    Logging from ACS shows that users are authenticated successfully but, on the user notebooks, authentication never seems successful and keeps authenticating.
    We have tried with other option (RADIUS) but, problem persists.
    Please help.

    Hi Robert,
    Firmware version is 2.0.4.2.
    We have tested with WPA-personal, WPA2-personal and all worked.
    For enterprise, we have tested using WPA-ent, WPA2-ent, WPA2-ent-mixed and RADIUS.
    All did not work.
    Client keeps flapping between auth and validation.
    ACS logs showed that auth OK.
    Syslog from AP showed that client was assiciated but it happened repeatedly.
    <134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:28.720   
    <134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:28.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:30.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:30.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:30.736   
    <134>Oct 28 16:13:31 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:32.689   
    Below is the diagram for your kind ref.
          US Office          Site-to-Site VPN    SG Office 
    ACS --- ASA ------------ Internet ------------ ASA5505 ------ 2960 PoE SW ----- 3 x WAP4410N
                                                                                                       \ \___ DNS/DHCP Server
                                                                                                        \____ Wired Clients
    Note: SG office ASA is 5505 and outside interface is on Vlan 2, inside interface is on Vlan 1. 2960 switch is configured with all ports in Vlan 2. Vlan feature on WAP4410N is disabled. Layer3 communication among US office ACS, SG office ASA5505, DHCP server and WAP4410N is fine. All wired clients in SG office get IP from DHCP server. I feel this is a bit odd and you may need to know.
    Do feel free to let me know, should you need further input from me. Thanks!

  • 802.1x machine auth w/ certificate authority

    Two quick questions ...
    I am building a lab for 802.1x, I want to use peap w/ mschap v2 and I want to do machine authentication only.  I have AD and CA services running on a test windows 2003 server. I have ACS setup, my AD is connected, my switch is configured and now I am stuck on the CA portion and I am not sure if I am doing it right, I can't seem to find documentation that outlines this piece specific to the scenerio I described above, perhaps someone can give me a hand. 
    I browse to the CA, request a certificate >  advanced certificate request > create and submit request to this CA >
    From this point I am suppose to select a certificate template.  The docs I have found say to use a "webserver" template and select the option to "export keys to file".  When I attempt this the export key option is greyed out.  I google and some people say only Enterprise edition supports this, I am running Enterprise R2 so I don't see the problem.  All of the other templates available allow me to export except for webserver.
    1) my question is for the lab scenerio I detailed above what type of certifcate template should I be using? if your answer is a "webserver" template can you perahps tell me why I cannot export to a file?
    2) Do my client machines require a certificate to be installed prior to connecting to the 802.1x switch? from what I read using peap mschap v2 coupled with machine authentication you do not require a certificate on each machine.  During initial 802.1x authentication the certificate will be pushed from the ACS over to the client.  I believe the one caveat is that the client machine will require to be modified to list the new CA or ACS server as a trusted root authority.  I need some clarity on this subject, I will not have the option to install a certicate on each machine prior to 802.1x auth.  Please confirm
    Any help is appreciated, thanks!
    If there are any links that someone can provide that have details on this setup please share

    I am going through this process currently also, and I can tell you what I have gathered so far.
    These notes are applicable to Machine, or Machine & User authentication, Wired and/or Wireless 802.1x.
    The certificate must be present on each client machine in order to connect.    The thing that I am finding annoying is that when we used the Microsoft IAS Radius, the certificate enrollment was seamless.   The domain clients just seemed to "automatically" have the certificate installed on their machines (pushed down by the Domain), that matches the certificate presented by the IAS Radius server during the authentication process (Of course, because it's all within the same domain).  Easy as pie, windows magic...
    But suppose we want to use Cisco ACS or our own radius server ?   Well the first thing I tried was to use a Certificate signed by our internal Linux CA.  The Windows domain administrator was not able to set up the Linux CA as a "trusted intermediate", which I don't fully understand.   Instead he asked me to purchase a certificate from a Trusted CA such as Verisign or DigiCert.  By the way I found a list of Microsoft trusted Intermediates here:
    http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx
    The Windows Domain Administrator will do 3 things :
    1) Configure Certificate Auto-Enrollment Policy for the Certificate we purchase
    2) Configure the Wired & Wireless Autoconfig service settings Group Policy Objects
    3) Set the Wired Autoconfig service to start.
    I will have to
    1) Generate the CSR & Import the puchased signed certificate into the ACS(s).
    Now, that said, there must be an easier way to do this!  If anyone has notes on whether or not the following is possible, it would be appreciated & interesting:
    1) Can the Windows Domain sign my CSR ?  If so - how
    2) Can the Windows Domain be configured to trust our Linux CA ? If so - how
    Good luck to you dot1xers

  • Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

    Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication?  I have an authorization profile that permits the user login only after machine 'WasAuthenticated'.  I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication.  Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot.  Surely this isn't right.  What if a user logs on without any connection with cached credentials and then wants to use wireless?  Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states?  I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
    Regards,
    Scott

    Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
    Sent from Cisco Technical Support iPhone App

  • Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

    Hi,
    I would be very appreciated if anyone can share their experience. Thanks in advance.
    Issue:
    I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
    Problems encountered:
    Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
    In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
    Questions:
    1. Please kindly advise how I should resolve this problem.
    2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
    Troubleshooting steps I have done:
    Below is the steps I took to setup the external DB.
    1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
    2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
    2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
    Thank you.

    I have NO experience with ACS SE 4.2 and
    RSA SecurID Token Server BUT I have
    experiences with Cisco ACS 4.1 running on
    Windows 2003 SP2 Enterprise Edition and
    RSA SecurID Token Server.
    All the troubleshoot you've done is correct.
    In Windows 2003 running Cisco ACS, you can
    install the test authentication RSA client
    and that you can verify that the setup
    is correct (by verifying that the sdconf.rec
    is not corrupted).
    One thing I can think of is that when you
    setup the ACS SE box, under external
    database, configure unknown user policy,
    did you check it to tell how to define users
    when they are not found in the ACS internal
    database. Did you select RSA SecurID token
    server?
    Other than that, from what I understand,
    you've done everything correctly.

  • Dot1x machine auth before user auth required

    We are looking at setting up dot1x in our libraries however I have been asked to see if there is a way to force a switch port to require machine auth before user auth.  The reason for this is a problem we have that users will disconnect the ethernet cable from the library computer and plug it into theirs.  If they have an AD account, they could in theory authenticate on this port. We want to discourage them from disconnecting these ports as we then don't know the computer has been unplugged and then it is no longer on the network and doesn't get updates/ghosted.
    Also, would it maybe be better to just allow a specific group of user accounts to connect to these jacks, and if so what would be the best way?  Location settings on the port?
    We are using ISE 1.2 to do authentication for these switches.

    Hi Zach-
    There are several different ways to prevent non-domain computers from gaining access to the network. I will try to list a few of them starting with the easiest and least expensive/labor intensive methods:
    1. Do only Machine-based authentication. This eliminates the user from having to enter credentials and ISE will simply query AD for valid computer domain membership.
    2. Use EAP-Chaining. This is the only method that truly gives you user+machine authenticaiton. However, it does require that you push the Cisco Any-Connect client to all endpoints
    3. Deploy PKI and use EAP-TLS authentication with Digital Certificates. With this method only domain computers/users can get a certificate and ISE can still query AD for user or machine AD membership
    4. Perform Posture and check for something that is domain specific. For instance, a fake registry key or file that is being created when a machine joins to the domain. With this method ISE can still ask for User authentication but also require posture check. You can then set the policy that if posture fails but user auth succeeds then the user will only get guest access.
    I hope this helps.
    Thank you for rating!

  • ACS + Wired dot1x machine authentication

    Hi,
    I am trying to setup wired machine based authentication. I have followed this guide
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req
    However I simply get the same error all the time on ACS.
    Invalid message authenticator in EAP request
    Switch config;
    interface GigabitEthernet0/46
    switchport access vlan 20
    switchport mode access
    media-type rj45
    dot1x pae authenticator
    dot1x port-control auto
    dot1x reauthentication
    dot1x guest-vlan 20
    i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.
    Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.
    Purely using machine auth.
    Cheers
    Scott

    Hi Guys,
    The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??
    Thanks for your help.
    Scott

  • Issue with certifcate on Cisco ACS

    We are wanting to authenticate our internal wireless users using our Cisco ACS running 5.3.  The ACS will poll our Active Directory environment for the username and password provided.  I created a CSR on the ACS and provided it to Entrust.  They provided me with a root, chain and server certificate.  I binded the server certificate to the CSR under System Administration>Local Server Certificates>Local Certificates.  I then added the chain and root certificates to the location Users and Identity Stores>Certificate Authorities.  When I try to connect on a client laptop it asks for a username and password but after entering that information I am presented with the below certificate warning.  This certificate is from Entrust and I see the root certificate in the root store on the laptop.  Any ideas what would cause this.  TAC does not seem to have any answers.  They say it is a client machine problem.

    From the problem description, it's clear that you're attempting to connect user on a wireless network via peap. From the ACS stand point, your configuration looks good. However, I'd like to know what all certificate have you installed on the client side. Do we have complete chain installed on the client that includes Root CA and intermediate (if any). Would you mind emailing me your complete certificate chain for my reference?
    Also, let me know what OS and supplicant are we running on end client?
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Limitations of Cisco ACS server

    I want to ask about limitations of Cisco ACS server 3.3 .
    I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
    Can i also solve this problem with a High Availability configuration.

    Hi
    ACS performance is a very complex issue and depends largely on
    1) auth protocol (anything eap is SLOW)
    2) backend (anything external is SLOW)
    3) server CPU
    We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
    AD authentication/group mapping can take several seconds to complete.
    ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
    EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
    Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
    The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
    IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
    Darran

Maybe you are looking for