Machine authentication by certificate and windows domain checking

Similar Messages

• Machine authentication using certificates

  Hi,
  I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
  Any help??
  Thanks in advance.

  Hi [answers are inline]
  I  have tried using Cisco Anyconnect NAM on Wondows XP for machine and  user authentication but EAP-chaining feature is not working as expected.  I am facing few challenges. I have configured NAM to use eap-fast for  machine and user authentication and ISE is configured with required  authorisation rule and profiles/results. when machine boots up it sends  machine certificate and gets authenticated against AD and ISE matches  the authorisation rule and assigns authZ profile without waiting for  user credentials.
  This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
  Now when a user logs on using AD user/pass,  authentication fails as the VLAN assigned in AuthZ profile does not have  access to AD. ISE should actually check with their external database  but Its not.
  Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
  Note the section below:
  –Before  User Logon—Connect to the network before the user logs on. The user  logon types that are supported include user account (Kerberos)  authentication, loading of user GPOs, and GPO-based logon script  execution.
  If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
  Time to Wait Before Allowing User to Logon—Specifies the maximum (worst  case) number of seconds to wait for the Network Access Manager to make a  complete network connection. If a network connection cannot be  established within this time, the Windows logon process continues with  user log on. The default is 5 seconds.
  Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to  establish a wireless connection. You must also account for the time  required to obtain an IP address via DHCP. If two or more network  profiles are configured, you may want to increase the value to cover two  or more connection attempts.
  You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
  Interestingly, if I login with an AD user which is local to  the machine its gets authenticated and gets correct AuthZ  profile/access level. If I logoff and login with different user, Windows  adapter gets IP address and ISE shows successful authentication /authz  profile but NAM agent prompts limited connectivity. Any help??
  Please make the changes above and see if the error message goes away.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• How do I connect to Time Capsule from a Windows 8.1 machine which is on a Windows domain. I have been able to connect from a Windows 7 machine on a Windows domain to a Time Capsule. Airport utility is not displaying the Time Capsule Win8.1 machine

  How do I connect to Time Capsule from a Windows 8.1 machine which is on a Windows domain. I have been able to connect from a Windows 7 machine on a Windows domain to a Time Capsule. Airport utility is not displaying the Time Capsule Win8.1 machine.
  I have checked that the firmware has been updated to 7.6.4 . Similalrly the Win8.1 machine has been loaded with the update specified in another discussion.

  Firstly how are you connecting to the TC.. wireless or ethernet?
  Please open a command window and ping it.. ping by name and by IP address.
  If ping succeeds at least by IP it should work.
  In windows explorer type
  \\10.0.1.1 (or whatever the TC ip is.. that is the default).
  Having the airport utility for windows loaded can help the process. As it loads bonjour for windows.
  7.6.4 firmware on the TC is useless. It works better on 7.6.1
  If the ping does not succeed by either name or IP address yet you have internet through the TC, then your network is setup wrongly. You are have firewalls blocking local IP. Take down all the firewalls.

• Leap and windows domain logon

  I'm doing some test with an Air 1200 and some 352 Pc card for one of our customers.
  With ACU ver. 4.25.23, I enabled LEAP authentication using the windows user name and password.
  Leap authentication is successful, while windows domain logon not.
  Not to say using a "normal" NIC that logon succeed.
  Sniffing the packets that come out the AP, it seems the domain logon happens... I see the requests/answers between my client and the domain controller...
  However, after canceling the windows domain logon I have normal connectivity with the entire network.
  Someone experienced that? Any help will be greatly appreciated.
  Antonio Tassone

  Sure.
  My attempts to logon in a windows domain using the same user/password for LEAP authentication and windows logon were unsuccessful (either using Win9x or Win NT/2000 on the client), indeed the login dialog box was stuck in something like "searching primary domain controller" or similar (I'm sorry but it's been some month ago).
  Looking the Radius server log, I found an error like " xxxxx DLL rejected".
  Searching the Cisco web site and the forums for that error, I read the advice to make the authentication services on the NT server to run with the privileges of one of the Windows Domain Administrator accounts.
  Following that advice, and with some other tweaking explained in the document I read, I reached my goal.
  I regret I can't be more precise.
  Regards.

• When I start firefox, I get a Dialogue bx saying that Firefox had stopped working and Windows is checking the cause, another dialouge box., I have Google Chrome working on my Laptop.

  When I start firefox, I get a Dialogue bx saying that Firefox had stopped working and Windows is checking the cause, another dialouge box says that A problem caused the program to stop working correctly. Windows will close the program and notify if a solution is found,the problem continues, I have Google Chrome working on my Laptop.

  It is possible that your anti-virus software is corrupting the downloaded files or otherwise interfering with downloading files by Firefox.
  Try to disable the real-time (live) scanning of files in your anti-virus software temporarily to see if that makes downloading work.
  See also:
  * http://kb.mozillazine.org/Unable_to_save_or_download_files

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• 802.1x, Machine Authentication, Active Directory and eDirectory

  Does anyone think this is feasible as a solution...
  Problem Definition.
  1) Machines all use the netware Client and authenticate to eDirectory initially, then to AD.
  2) I want to use ACS, not Free Radius.
  3) I don't want to use a 3rd party supplicant.
  Possible solution...
  Does anyone think it might be possible to authenticate a machine using a certificate into AD before the user logs in using the netware client. My thinking being this... the user (or machine in this case) will have already been identified as trusted (through AD), will be connected to the network when the user submits their netware credentials. This would mean that netware could be left out of the 802.1x process completely and yet the user would still get a single sign on experience.

  I did. Basically the scenrio I described in the original post worked.
  The only caveat is that user auth still occurs through 802.1x once you submit the user credentials. There are regestry hacks which disable this if you solely want to use machine auth.
  hope this helps

• Parallels Desktop and Windows Domain

  Ive installed Parallels 3 onto my MacBook and am now using Windows XP Pro.
  Ive tried to join my Windows OS to my domain on our Windows 2003 Server but the computer cannot find the domain. I think its something to do with the network connection with the Mac preventing the outward connection.
  Anyone know how to use a Windows Domain through Parallels 3?
  PLease help

  I would suggest changing the network settings in parallels so that your virtual host is getting an IP address straight from your companies DHCP server.
  Dont use shared networking but bridged networking.

• Incompatibility among the authentication WEB-based and Windows Vista

  I have a Wireless LAN Controller 5.0.148.2 and Access Points 1252 and 1231; the customer have 8 laptops with Windows Vista that they present problems when to get connected to the Guest's WLAN; these same ones do not present problems when they authenticate to Employee's WLAN through PEAP. The laptops with Windows XP do not present this problem.
  The users that are connected to the Guest's WLAN then they obtain correctly the direction IP through DHCP; the Guest's users can not visualize the page find salutatory Web or when sometimes they visualize it, they introduce the username and password and next do not visualize the page accordingly, and they do not connect to the Internet.
  Them laptops in mention come from different manufacturers ( HP and DELL ), Windows Vista's versions ( Home Basic and Home Premium ) and wireless cards ( INTEL and ATHEROS ).

  I'm having the same problem with our student wireless. It uses web authentication and Windows Vista and Mac users are having problems but Windows XP works fine. They all get IP addresses but aren't getting presented with the login page.

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• SPNego and Windows domain

  Hi,
  just to make sure: when the windows 2003 domain is MYDOMAIN and not MYDOMAIN.COM or anything with a dot in it (so users logon via MYDOMAIN\username), but the FQDN of the J2EE server is j2eehost.mydomain.com, then MYDOMAIN should be used to create the keytab file, instead of MYDOMAIN.COM, correct?
  Thus host/j2eehost.mydomain.com@MYDOMAIN instead of host/[email protected] is the service principal name?

  Hi Yonko,
  thanks again. Yes I understand why you would assume that there would be a MYDOMAIN.COM domain but it isn't as far as I know (result of upgrades all the way back from NT4).
  I actually forgot to write that the windows logon dialog shows DOMAIN, but the FQDN is AMUCHBIGGERDOMAIN.COM. For example, the logon is COMPANYNAME\username, but the FQDN of all servers (all domain memebers) are <i>host.globalcompanyname.com</i>
  interesting enough, we cannot logon using [email protected]
  None the less, I'll double check using TweakUI.
  Cheers
  Marcel

• Time Machine for both Mac and Windows side of BootCamp

  Can I use my external hard drive to backup both the Mac side and the windows side of BootCamp? I am using Time Machine for the Mac side, and I know that WinXP doesn't have Time Machine software. Can I use the hard drive when I'm on the Windows side as I would on any Windows machine, and move files under "My Computer"?

  Can I use my external hard drive to backup both the Mac side and the windows side of BootCamp?
  ONLY if you partition the external and use Winclone for windows-but leave as much space as possible for TM.
  I am using Time Machine for the Mac side, and I know that WinXP doesn't have Time Machine software. Can I use the hard drive when I'm on the Windows side as I would on any Windows machine, and move files under "My Computer"?
  Yes.
  Without special software, the windows partition can't even see your OS X partition.
  Good luck!

• My tabs will not restore after starting Firefox -- even with the option to restore my tabs and windows is checked in the "options" window. I'm losing tabs from previous sessions that I need to keep open every time I need to restart. Thanks for any advice!

  Is there something else I need to tweak to get rid of this annoyance instead of simply clicking the check box? I'm losing tabs from previous sessions that I need to keep open every time I need to restart. Thanks for any advice!

  Make sure that you do not use Clear Recent History to clear the <i>Browsing History</i> when you close Firefox.
  *https://support.mozilla.com/kb/Clear+Recent+History
  It is possible that there is a problem with the files sessionstore.js and sessionstore.bak in the Firefox Profile Folder.
  Delete the sessionstore.js [2] file and possible sessionstore-##.js [3] files with a number and sessionstore.bak in the Firefox Profile Folder.
  * Help > Troubleshooting Information > Profile Directory: Open Containing Folder
  * http://kb.mozillazine.org/Profile_folder_-_Firefox
  Deleting sessionstore.js will cause App Tabs and Tab Groups and open and closed (undo) tabs to get lost, so you will have to create them again (make a note or bookmark them).
  See also:
  * [1] http://kb.mozillazine.org/Session_Restore
  * [2] http://kb.mozillazine.org/sessionstore.js
  * [3] http://kb.mozillazine.org/Multiple_profile_files_created

• Android, Ipad authentication under windows domain environment

  I’m really confused about the best practice to set up these devices in a 802.1x and Windows Domain network using ISE.
  I had seen the Ipad download the ISE certificate the very first time the device is connected to the SSID. In Android device (Galaxy phone) I don’t see the device download certificate.
  Testing with the Android device I was able to install the root CA certificate (a not easy procedure), then when the SSID is configured in the device I have the option to choice the root CA certificate.
  Now if I don’t include the certificate in the SSID configuration, the device is able to connect with an Identity and Password only. If I include the certificate in the SSID configuration, the device ask for the certificate storage password if the option for use secure credentials is not enabled before.
  How can I validate through the ISE the android device is using the certificate? Is it possible to set a rule in the ISE denying access if the device does not validate the certificate? I think EAP necesarity use certificates, but the Android device does not show anything.
  I had read about provisioning and profiling the Android devices. I think the Network Setup Assistant available through Google Play is an easy procedure to install the root CA certificate. Am I Right?
  The customer said it appears the certificate is being used to encrypt the username and password not for do the authentication itself. Reading about EAP functionality I believe it is right, I understand the EAP-MSCHAP actually creates a tunnel to passthrough the username and password. Right?
  As the Ipad and Android devices are not in the windows domain, what should be expected when the password is expired? Customer Policy indicates users must change domain passwords every four months. In a Windows PC users receive warnings some days before the expiration but it appears nothing happen in non-domain devices. A co-worker told me the easy way is that when this happen the user should remove the SSID in the device and create it again. The customer does not like this behavior, so what should be a best practice work around?
  I hope you can help me to clarify my doubts.
  Regards.
  Daniel Escalante

  Client Provisioning for Android you can refer thease guides:
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html#wp1024291
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html#anc10