CSSC with machine authentication in Ms AD

Similar Messages

• Machine authentication for ACS5.1

  Hi, I met a problem with machine authentication. Following is the conditions::
  1. WLC5508, version 6.0.196
  2. ACS 5.1.0.44
  3. WIN AD
  4. PEAP-MSCHAPv2+machine authentication
  the machine auth failed, I checked the log, it says Machine not found in AD:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - WLAN Access Policy
  11507  Extracted EAP-Response/Identity
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started.
  12805  Extracted TLS ClientHello message.
  12806  Prepared TLS ServerHello message.
  12807  Prepared TLS Certificate message.
  12810  Prepared TLS ServerDone message.
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12318  Successfully negotiated PEAP version 0
  12812  Extracted TLS ClientKeyExchange message.
  12804  Extracted TLS Finished message.
  12801  Prepared TLS ChangeCipherSpec message.
  12802  Prepared TLS Finished message.
  12816  TLS handshake succeeded.
  12310  PEAP full handshake finished successfully
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12313  PEAP inner method started
  11521  Prepared EAP-Request/Identity for inner EAP method
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  11522  Extracted EAP-Response/Identity for inner EAP method
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store -
  24431  Authenticating machine against Active Directory
  24437  Machine not found in Active Directory
  22056  Subject not found in the applicable identity store(s).
  22058  The advanced option that is configured for an unknown user is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  11823  EAP-MSCHAP authentication attempt failed
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  However this machine account definately is in the AD, what's wrong? Any idea? Thanks in advance!

  From your screenshot, the client faied in the "Evaluating Group Mapping Policy", after "12304  Extracted EAP-Response containing PEAP challenge-response", it says "client sent result TLV indicating failure"
  For the normal process, this should be sth like:
  12304  Extracted EAP-Response containing PEAP challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12314  PEAP inner method finished successfully
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12306  PEAP authentication succeeded
  11503  Prepared EAP-Success
  It seems your configuration on MSCHAP has some problem, so double check your PEAP-MSCHAPv2 configuration on both the client and the ACS. In ACS5.1, it should looks like:
  in client, it should looks like:
  BTW, what had you configured for group mapping? In your case, it seems not need it because in Authorization policy, you just used AD1:ExternalGroups instead of Identity Group.
  If you can paste your configured AD parameter(General, Directory Groups, Directory Attributes), access policy(General, Allowed Protocol, Identity, Group Mapping, Authorization), all the steps for the failed auth(including Evaluating Service Selection Policy, Evaluating Identity Policy, Evaluating Group Mapping Policy,Evaluating Authorization Policy), it can help to troubleshoot your problem.

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Machine Authentication Issue

  I have an ISE 1.2 
  I am configuring it with Machine authentication with PEAP , Users are working Fine 
  Just he connect his Cable , it authenticate his Machine and Machine dACL is Downloaded then he  log in with his username/password and NAC starts provisioning 
  the issue is : some Users is part of domain and their machine joined the domain , but their machine cannot authenticate successfully
  I am sure that these machine not included on denied endpoint groups , and Dot1x is enabled 
  Attached two images for that issue   

  Could you post the results from the clients authentication under ISE -> Operation -> Authentication

• ISE machine authentication - only plug in to the network after booting

  Hi experts.
  I have recently deployed ISE with machine authentication. 
  However, when the machine is already plugged in to the switch before booting, the machine does not authenticate automatically. It isn't until I log on, using a local computer account, that 802.1X authentication occurs. Using wireshark, I have verified again that this authentication is MACHINE authentication, not user-authentication.
  Is there a way to solve this problem, other than having my users unplug their computer and only plug in to the network after booting?
  Eric

  Hi Vattulu,
    The method of machine access restriction will be used, because there is no a plan to use anyconnect NAM on the client environment, since the prerequisite for EAP-chaining is to use anyconnect.
  Regards,
  Eric

• 802.1x with AD authentication in a wired environment

  Hello,
  I have a question about 802.1x authentication. I want use a combination from 802.1x and a domain authentication on a AD from microsoft. I think the first login request is the domain login, but the port on the switch is always blocked. After the PC is already up, then I can login with 802.1x authentication. Please let me know what is the best solution for this scenario. The customer need a domain login and he want use the 802.1x authentication.
  Give it a solution with only 1 login request???
  thanks
  Jens

  You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.
  You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.
  http://support.microsoft.com/kb/318750/EN-US/
  http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
  I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).
  HTH
  Andy

• Missing machine authentication - peap acs

  Hi,
  my setup is:
  Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
  WLC 4402 ver 4.0.179.8
  Aironet 1131 LWAPP
  dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
  I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
  http://support.microsoft.com/kb/309448/en-us
  I get these messages in the wlc log:
  AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  anyone who can point me in the right direction?
  Is it a windows client problem or a WLC/ACS problem?
  regards rolf

  Hi,
  still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
  AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
  My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
  regards rolf

• SSL VPN with machine certificate authentication

  Hi All,
  I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
  Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
  The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
  btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
  Thanks in advance for your help
  Hardware is ASA5540, software version 8.2(5).
  Some pieces of the configuration below:
  group-policy VPN4TEST-Policy internal
  group-policy VPN4TEST-Policy attributes
    wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  vpn-simultaneous-logins 1
  vpn-idle-timeout 60
  vpn-filter value VPN4TEST_allow_access
  vpn-tunnel-protocol IPSec svc webvpn
  group-lock none
  ipsec-udp enable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  default-domain value cs.ad.klmcorp.net
  vlan 44
  nac-settings none
  address-pools value VPN4TEST-xxx
  webvpn
    svc modules value vpngina
    svc profiles value KLM-SSL-VPN-VPN4TEST
  tunnel-group VPN4TEST-VPN type remote-access
  tunnel-group VPN4TEST-VPN general-attributes
  address-pool VPN4TEST-xxx
  authentication-server-group RSA-7-Authent
  default-group-policy VPN4TEST-Policy
  tunnel-group VPN4TEST-VPN webvpn-attributes
  authentication aaa certificate
  group-alias VPN4TEST-ANYCONNECT enable

  Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

• Machine authentication not working with peap mschapv2

  I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
  TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
  AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
  AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
  AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
  AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
  If anyone can shed some light on this.
  Cheers,
  Andy

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Machine Authentication not happening with MAR

  ACS(SE)4.2
  WLC (4402)5.1.163
  AD 2003 Server
  Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.
  Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.
  Can anyone suggest what configuration required to acheive our requirement?
  Note: We are using same ACS for VPN authentication.

  Currently we are using WindowXP SP3.
  Client Configuration:
  1. network Authentication: WPA + TKIP
  2. EAP type: Protected EAP(PEAP)
  3. Authenticate as computer when computer information is available is (checked)
  4. Validated server certificate is (unchecked)
  5. Authentication Method is: EAP- MSCHAPv2
  ACS External Database Configuration:
  Tick "Enable PEAP machine authentication".
  Tick "Enable Machine Access Restrictions".
  Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".
  We are using Windows AD database as external database.
  Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).
  In WLC, client details showing domain\username instead of host/computer name.
  Your quick response would be highly appreciated!!!!!!

• Machine Authentication with PEAP on Wireless with ISE1.2

  Hi All,
  We are facing issues while doing machine authentication in ISE1.2 with wireless PEAP authentication. Without machine authentication normal PEAP works very fine but as soon as we enable machine authentication and create policy for machine authentication and in user authentication policy we put condition "was machine authenticated" then it works for some machine properly but does not work for other machines. Its totally random behaviour sometime it stopped working for machines which were authenticated before.
  I just want to know if I m missing some configuration or its a bug in ISE. Can some body share step by step configuration for machine authentication with PEAP.
  Really It would be a great help.
  Thanks
  Ninja

  Did you Apply service pactch 4?
  Sent from Cisco Technical Support iPhone App

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?