Machine authentication in Aironet

i'm trying to authenticate laptops to Active directory before joining wireless AP (aironet 1240A)
i'm using EAP in AP
and PEAP with certificates in NPS
i'm forcing laptops to use "computer authentication" through a GPO
certificates already deployed to All machines
policy is configured in NPS with "machine group" condition
the problem i'm facing that their is some laptops are authenticated successfully while the others are not
all machines are using windows 7 and located in the same Active Directory OU (same GPO applied)
here is what i saw in AP after enabling debug radius authentication
the working machines
*Mar  4 20:25:34.125: RADIUS/ENCODE(00000009):Orig. component type = DOT11
*Mar  4 20:25:34.125: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
*Mar  4 20:25:34.126: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
*Mar  4 20:25:34.126: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
*Mar  4 20:25:34.126: RADIUS:   32                                               [2]
*Mar  4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar  4 20:25:34.126: RADIUS/ENCODE(00000009): acct_session_id: 8
*Mar  4 20:25:34.126: RADIUS(00000009): Config NAS IP: X.Y.64.229
*Mar  4 20:25:34.126: RADIUS(00000009): sending
*Mar  4 20:25:34.127: RADIUS(00000009): Send Access-Request to X.Y.64.30:1812 id 1645/8, len 160
*Mar  4 20:25:34.127: RADIUS:  authenticator AC E6 88 FF CD B5 F3 CE - EA 56 67 37 2F 72 B5 C5
*Mar  4 20:25:34.127: RADIUS:  User-Name           [1]   23  "host/FADI-LT.domain.com"
*Mar  4 20:25:34.127: RADIUS:  Framed-MTU          [12]  6   1400               
*Mar  4 20:25:34.128: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
*Mar  4 20:25:34.128: RADIUS:  Calling-Station-Id  [31]  16  "0811.9699.ba30"
*Mar  4 20:25:34.128: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  4 20:25:34.128: RADIUS:  Message-Authenticato[80]  18
*Mar  4 20:25:34.128: RADIUS:   1C 45 ED 5A 5D 1E DA 88 73 E5 D3 16 9F A2 62 A9  [?E?Z]???s?????b?]
*Mar  4 20:25:34.128: RADIUS:  EAP-Message         [79]  28
*Mar  4 20:25:34.128: RADIUS:   02 02 00 1A 01 68 6F 73 74 2F 46 41 44 49 2D 4C  [?????host/FADI-L]
*Mar  4 20:25:34.129: RADIUS:   54 2E 61 64 61 73 69 2E 61 65                    [T.domain.com]
*Mar  4 20:25:34.129: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
*Mar  4 20:25:34.129: RADIUS:  NAS-Port            [5]   6   263                
*Mar  4 20:25:34.129: RADIUS:  NAS-Port-Id         [87]  5   "263"
*Mar  4 20:25:34.129: RADIUS:  NAS-IP-Address      [4]   6   10.10.64.229       
*Mar  4 20:25:34.129: RADIUS:  Nas-Identifier      [32]  4   "AP"
*Mar  4 20:25:34.166: RADIUS: Received from id 1645/8 10.10.64.30:1812, Access-Challenge, len 90
*Mar  4 20:25:34.167: RADIUS:  authenticator 36 94 18 74 91 6F AA 0E - D4 D7 DC 48 A8 53 43 68
*Mar  4 20:25:34.167: RADIUS:  Session-Timeout     [27]  6   30                 
*Mar  4 20:25:34.167: RADIUS:  EAP-Message         [79]  8
*Mar  4 20:25:34.167: RADIUS:   01 03 00 06 0D 20                                [????? ]
*Mar  4 20:25:34.167: RADIUS:  State               [24]  38
the non working machines
*Mar  4 20:26:18.949: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar  4 20:26:18.949: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
*Mar  4 20:26:18.949: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
*Mar  4 20:26:18.949: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
*Mar  4 20:26:18.949: RADIUS:   32                                               [2]
*Mar  4 20:26:18.949: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar  4 20:26:18.950: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar  4 20:26:18.950: RADIUS(0000000A): Config NAS IP: X.Y.64.229
*Mar  4 20:26:18.950: RADIUS(0000000A): sending
*Mar  4 20:26:18.950: RADIUS(0000000A): Send Access-Request to X.Y.64.30:1812 id 1645/11, len 150
*Mar  4 20:26:18.951: RADIUS:  authenticator 17 64 A0 78 8E 49 12 7C - 79 8A 55 17 79 1F D5 A1
*Mar  4 20:26:18.951: RADIUS:  User-Name           [1]   18  "domain\username"
*Mar  4 20:26:18.951: RADIUS:  Framed-MTU          [12]  6   1400               
*Mar  4 20:26:18.951: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
*Mar  4 20:26:18.951: RADIUS:  Calling-Station-Id  [31]  16  "0022.faf1.9258"
*Mar  4 20:26:18.951: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  4 20:26:18.951: RADIUS:  Message-Authenticato[80]  18
*Mar  4 20:26:18.951: RADIUS:   06 FC 55 89 6D 45 AA E5 8A 73 73 2C 82 87 28 BA  [??U?mE???ss,??(?]
*Mar  4 20:26:18.952: RADIUS:  EAP-Message         [79]  23
*Mar  4 20:26:18.952: RADIUS:   02 02 00 15 01 41 44 41 53 49 5C 66 61 64 69 2E  [?????domain\user]
*Mar  4 20:26:18.952: RADIUS:   61 64 6D 69 6E                                   [name]
*Mar  4 20:26:18.952: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
*Mar  4 20:26:18.952: RADIUS:  NAS-Port            [5]   6   264                
*Mar  4 20:26:18.952: RADIUS:  NAS-Port-Id         [87]  5   "264"
*Mar  4 20:26:18.952: RADIUS:  NAS-IP-Address      [4]   6   X.Y.64.229       
*Mar  4 20:26:18.953: RADIUS:  Nas-Identifier      [32]  4   "AP"
*Mar  4 20:26:18.980: RADIUS: Received from id 1645/11 X.Y.64.30:1812, Access-Challenge, len 90
*Mar  4 20:26:18.980: RADIUS:  authenticator 54 84 DD 91 72 03 E9 08 - EA 61 C0 B3 B5 D6 9A 42
*Mar  4 20:26:18.981: RADIUS:  Session-Timeout     [27]  6   30                 
*Mar  4 20:26:18.981: RADIUS:  EAP-Message         [79]  8
*Mar  4 20:26:18.981: RADIUS:   01 03 00 06 0D 20                                [????? ]
*Mar  4 20:26:18.981: RADIUS:  State               [24]  38
*Mar  4 20:26:18.981: RADIUS:   15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E  [???????7??????@?]
*Mar  4 20:26:18.982: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08  [????????????????]
*Mar  4 20:26:18.982: RADIUS:   55 9E B9 77                                      [U??w]
*Mar  4 20:26:18.982: RADIUS:  Message-Authenticato[80]  18
*Mar  4 20:26:18.982: RADIUS:   1A EC 06 E6 E0 46 C4 06 15 87 E9 26 30 49 63 47  [?????F?????&0IcG]
*Mar  4 20:26:18.983: RADIUS(0000000A): Received from id 1645/11
*Mar  4 20:26:18.983: RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes
*Mar  4 20:26:18.986: RADIUS/ENCODE(0000000A):Orig. component type = DOT11
*Mar  4 20:26:18.986: RADIUS:  AAA Unsupported Attr: ssid              [265] 9  
*Mar  4 20:26:18.986: RADIUS:   63 6F 72 70 6F 72 61                             [corpora]
*Mar  4 20:26:18.987: RADIUS:  AAA Unsupported Attr: interface         [157] 3  
*Mar  4 20:26:18.987: RADIUS:   32                                               [2]
*Mar  4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar  4 20:26:18.987: RADIUS/ENCODE(0000000A): acct_session_id: 9
*Mar  4 20:26:18.987: RADIUS(0000000A): Config NAS IP: X.Y..64.229
*Mar  4 20:26:18.987: RADIUS(0000000A): sending
*Mar  4 20:26:18.988: RADIUS(0000000A): Send Access-Request to 10.10.64.30:1812 id 1645/12, len 173
*Mar  4 20:26:18.988: RADIUS:  authenticator 37 26 0B EC 12 5D 6A E5 - 22 1A 27 4A B0 5B E2 AA
*Mar  4 20:26:18.988: RADIUS:  User-Name           [1]   18  "domain\username"
*Mar  4 20:26:18.988: RADIUS:  Framed-MTU          [12]  6   1400               
*Mar  4 20:26:18.988: RADIUS:  Called-Station-Id   [30]  16  "0027.0c68.1dc0"
*Mar  4 20:26:18.988: RADIUS:  Calling-Station-Id  [31]  16  "0022.faf1.9258"
*Mar  4 20:26:18.988: RADIUS:  Service-Type        [6]   6   Login                     [1]
*Mar  4 20:26:18.988: RADIUS:  Message-Authenticato[80]  18
*Mar  4 20:26:18.989: RADIUS:   3D 11 05 D8 6E DF 92 2B 51 EC BA BA FB C4 10 5F  [=???n??+Q??????_]
*Mar  4 20:26:18.989: RADIUS:  EAP-Message         [79]  8
*Mar  4 20:26:18.989: RADIUS:   02 03 00 06 03 19                                [??????]
*Mar  4 20:26:18.989: RADIUS:  NAS-Port-Type       [61]  6   802.11 wireless           [19]
*Mar  4 20:26:18.989: RADIUS:  NAS-Port            [5]   6   264                
*Mar  4 20:26:18.989: RADIUS:  NAS-Port-Id         [87]  5   "264"
*Mar  4 20:26:18.989: RADIUS:  State               [24]  38
*Mar  4 20:26:18.990: RADIUS:   15 D3 02 D9 00 00 01 37 00 01 02 00 0A 0A 40 1E  [???????7??????@?]
*Mar  4 20:26:18.990: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08  [????????????????]
*Mar  4 20:26:18.990: RADIUS:   55 9E B9 77                                      [U??w]
*Mar  4 20:26:18.990: RADIUS:  NAS-IP-Address      [4]   6   X.Y.64.229       
*Mar  4 20:26:18.990: RADIUS:  Nas-Identifier      [32]  4   "AP"
*Mar  4 20:26:18.992: RADIUS: Received from id 1645/12 10.10.64.30:1812, Access-Reject, len 44
*Mar  4 20:26:18.992: RADIUS:  authenticator 76 30 DF F4 7A 36 AC E7 - 20 AA 83 C1 05 8B 62 EC
*Mar  4 20:26:18.992: RADIUS:  EAP-Message         [79]  6
*Mar  4 20:26:18.993: RADIUS:   04 03 00 04                                      [????]
*Mar  4 20:26:18.993: RADIUS:  Message-Authenticato[80]  18
*Mar  4 20:26:18.993: RADIUS:   FD 21 74 AF A8 7F A1 A5 9E CE 3A 35 45 DA EA C9  [?!t???????:5E???]
*Mar  4 20:26:18.993: RADIUS(0000000A): Received from id 1645/12
*Mar  4 20:26:18.994: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
*Mar  4 20:26:18.994: %DOT11-7-AUTH_FAILED: Station 0022.faf1.9258 Authentication failed
obviously the machine who send machine name (host\machinename) will be authenticated successfully
and machines who send username (domain\username) will not be authenticated successfully
now
i tested those unsuccessful machines in a wired  dot1x switch using the same NPS policy and they were sending their machine names instead of usernames and they were authenticated successfully
i suspected that this is maybe because of the AP config
here it is
Current configuration : 2662 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP
enable secret 5 $1$gtul$Uhe4qVAC8GN0drownggAb0
aaa new-model
aaa group server radius rad_eap
 server X.Y.64.30 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
ip domain name domain
dot11 ssid corporate
   vlan 64
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   mbssid guest-mode
dot11 network-map
power inline negotiation prestandard source
username Cisco password 7 13261E010803
bridge irb
interface Dot11Radio0
 no ip address
 no ip route-cache
 encryption mode ciphers aes-ccm
 encryption vlan 64 mode ciphers aes-ccm
 ssid corporate
 mbssid
 station-role root
interface Dot11Radio0.64
 encapsulation dot1Q 64 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
interface FastEthernet0.64
 encapsulation dot1Q 64 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
interface BVI1
 ip address X.Y.64.229 255.255.255.0
 no ip route-cache
ip default-gateway X.Y.64.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
snmp-server community cable RO
snmp-server enable traps tty
radius-server attribute 32 include-in-access-req format %h
radius-server host X.Y.64.30 auth-port 1812 acct-port 1813 key 7 104F0D18161E2D1E0D071538212B213036
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
end

Hi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • Missing machine authentication - peap acs

    Hi,
    my setup is:
    Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
    WLC 4402 ver 4.0.179.8
    Aironet 1131 LWAPP
    dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
    I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
    http://support.microsoft.com/kb/309448/en-us
    I get these messages in the wlc log:
    AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
    AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
    anyone who can point me in the right direction?
    Is it a windows client problem or a WLC/ACS problem?
    regards rolf

    Hi,
    still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
    AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
    AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
    It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
    My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
    regards rolf

  • ACS 5.3, EAP-TLS Machine Authentication with Active Directory

    I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
    My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
    Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
    Evaluating Identity Policy
    15006 Matched Default Rule
    22037 Authentication Passed
    22023 Proceed to attribute retrieval
    24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
    24437 Machine not found in Active Directory
    22016 Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    12506 EAP-TLS authentication succeeded
    11503 Prepared EAP-Success
    Evaluating Exception Authorization Policy
    15042 No rule was matched
    Evaluating Authorization Policy
    15006 Matched Default Rule
    15016 Selected Authorization Profile - Permit Access
    22065 Max sessions policy passed
    22064 New accounting session created in Session cache
    11002 Returned RADIUS Access-Accept
    I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
    Note: In my Identity Store Sequence, I did enable the option:
    For Attribute Retrieval only:
    If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
    but this only seems to work for internal identity stores (at least based on my testing)
    Under my Access Policy Identity tab, I configured the following Advanced features:
    Advanced Options
    If authentication failed
    RejectDropContinue
    If user not found
    RejectDropContinue
    If process failed
    RejectDropContinue
    And that didn't do anything either.
    Any ideas? Thanks in advance.

    Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
    Then can make a rule in the authorization policy such as
    If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

  • ISE 1.2 - 24492 Machine authentication against AD has failed

    Currently experiencing a machine authentication problem between ISE 1.2 patch 2 and a customer AD installation.
    AuthZ policy is set to match agains /Users/Domain Computers and /Users Domain Users.  User authentication works, machine auth doesnt.
    Machine authentication box is ticked.
    If you try to disable an AD machine, or try a machine not in the domain you get the appropriate different response in the ISE logs which sugests it has the right access into AD to check this info.
    This happens on all computers, both WinXP and Win7 corporate builds.
    I know its not an ISE policy configuration as I have resorted to testing the same ISE against a vanilla lab AD environment with the same AD domain name (just by changing the DNS servers ISE uses) and the computer lookup works!
    Anybody got any ideas?
    thanks.

    24492
    External-Active-Directory
    Machine   authentication against Active Directory has failed
    Machine   authentication against Active Directory has failed.
    Error
    Please check NTP is in sync or not  ISE

  • ISE 1.1 - 24492 Machine authentication against AD has failed

    We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
    Authentication Summary
    Logged At:
    March 11,2015 7:00:13.374 AM
    RADIUS Status:
    RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    RadiusPacketType=Drop
     AuthenticationResult=Error
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:00:13.374 AM
    Occurred At:
    March 11,2015 7:00:13.374 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    host/LENOVO-PC.tdsouth.com
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:
    TDS-PEAP-TLS
    Service Type:
    Framed
    Identity Store:
    AD1
    Authorization Profiles:
    Active Directory Domain:
    tdsouth.com
    Identity Group:
    Allowed Protocol Selection Matched Rule:
    TDS-WLAN-DOT1X-EAP-TLS
    Identity Policy Matched Rule:
    Default
    Selected Identity Stores:
    Authorization Policy Matched Rule:
    SGA Security Group:
    AAA Session ID:
    ISE-TDS/215430381/40
    Audit Session ID:
    c0a801e10000007f54ffe828
    Tunnel Details:
    Cisco-AVPairs:
    audit-session-id=c0a801e10000007f54ffe828
    Other Attributes:
    ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
    Posture Status:
    EPS Status:
     Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15048  Queried PIP
    15004  Matched rule
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12806  Prepared TLS ServerHello message
    12807  Prepared TLS Certificate message
    12809  Prepared TLS CertificateRequest message
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12571  ISE will continue to CRL verification if it is configured for specific CA
    12811  Extracted TLS Certificate message containing client certificate
    12812  Extracted TLS ClientKeyExchange message
    12813  Extracted TLS CertificateVerify message
    12804  Extracted TLS Finished message
    12801  Prepared TLS ChangeCipherSpec message
    12802  Prepared TLS Finished message
    12816  TLS handshake succeeded
    12509  EAP-TLS full handshake finished successfully
    12505  Prepared EAP-Request with another EAP-TLS challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12504  Extracted EAP-Response containing EAP-TLS challenge-response
    Evaluating Identity Policy
    15006  Matched Default Rule
    24433  Looking up machine/host in Active Directory - [email protected]
    24492  Machine authentication against Active Directory has failed
    22059  The advanced option that is configured for process failure is used
    22062  The 'Drop' advanced option is configured in case of a failed authentication request
    But the user can authenticated by EAP-TLS
    AAA Protocol > RADIUS Authentication Detail
    RADIUS Audit Session ID : 
    c0a801e10000007f54ffe828
    AAA session ID : 
    ISE-TDS/215430381/59
    Date : 
    March     11,2015
    Generated on March 11, 2015 2:48:43 PM ICT
    Actions
    Troubleshoot Authentication 
    View Diagnostic MessagesAudit Network Device Configuration 
    View Network Device Configuration 
    View Server Configuration Changes
    Authentication Summary
    Logged At:
    March 11,2015 7:27:32.475 AM
    RADIUS Status:
    Authentication succeeded
    NAS Failure:
    Username:
    [email protected]
    MAC/IP Address:
    00:26:82:F1:E6:32
    Network Device:
    WLC : 192.168.1.225 :  
    Allowed Protocol:
    TDS-PEAP-TLS
    Identity Store:
    AD1
    Authorization Profiles:
    TDS-WLAN-PERMIT-ALL
    SGA Security Group:
    Authentication Protocol :
    EAP-TLS
     Authentication Result
    [email protected]
     State=ReauthSession:c0a801e10000007f54ffe828
     Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
     Termination-Action=RADIUS-Request
     cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
     MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
     MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
     Airespace-Wlan-Id=1
     Related Events
     Authentication Details
    Logged At:
    March 11,2015 7:27:32.475 AM
    Occurred At:
    March 11,2015 7:27:32.474 AM
    Server:
    ISE-TDS
    Authentication Method:
    dot1x
    EAP Authentication Method :
    EAP-TLS
    EAP Tunnel Method :
    Username:
    [email protected]
    RADIUS Username :
    [email protected]
    Calling Station ID:
    00:26:82:F1:E6:32
    Framed IP Address:
    Use Case:
    Network Device:
    WLC
    Network Device Groups:
    Device Type#All Device Types,Location#All Locations
    NAS IP Address:
    192.168.1.225
    NAS Identifier:
    WLC-TDS
    NAS Port:
    4
    NAS Port ID:
    NAS Port Type:
    Wireless - IEEE 802.11
    Allowed Protocol:

    Hello,
    I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
    Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network.

  • ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

    We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
    Thank you for any help or ideas,

    When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
    On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

  • Machine authentication using certificates

    Hi,
    I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
    Any help??
    Thanks in advance.

    Hi [answers are inline]
    I  have tried using Cisco Anyconnect NAM on Wondows XP for machine and  user authentication but EAP-chaining feature is not working as expected.  I am facing few challenges. I have configured NAM to use eap-fast for  machine and user authentication and ISE is configured with required  authorisation rule and profiles/results. when machine boots up it sends  machine certificate and gets authenticated against AD and ISE matches  the authorisation rule and assigns authZ profile without waiting for  user credentials.
    This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
    Now when a user logs on using AD user/pass,  authentication fails as the VLAN assigned in AuthZ profile does not have  access to AD. ISE should actually check with their external database  but Its not.
    Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
    Note the section below:
    –Before  User Logon—Connect to the network before the user logs on. The user  logon types that are supported include user account (Kerberos)  authentication, loading of user GPOs, and GPO-based logon script  execution.
    If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
    Time to Wait Before Allowing User to Logon—Specifies the maximum (worst  case) number of seconds to wait for the Network Access Manager to make a  complete network connection. If a network connection cannot be  established within this time, the Windows logon process continues with  user log on. The default is 5 seconds.
    Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to  establish a wireless connection. You must also account for the time  required to obtain an IP address via DHCP. If two or more network  profiles are configured, you may want to increase the value to cover two  or more connection attempts.
    You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
    Interestingly, if I login with an AD user which is local to  the machine its gets authenticated and gets correct AuthZ  profile/access level. If I logoff and login with different user, Windows  adapter gets IP address and ISE shows successful authentication /authz  profile but NAM agent prompts limited connectivity. Any help??
    Please make the changes above and see if the error message goes away.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Machine Authentication

    Currently my clients (XP/SP2/latest MS hotfix) are logging onto the wireless network using WPA/TKIP/PEAP. They are configured for both machine authentication (needed to download correct profile from server) and user authentication. I notice that for each logon there are multiple machine authentications showing up in the ACS (anywhere from 3 - 15) This varies and is random. Anyone know why I am seeing this many machine authentications and if there is something I can do to eliminate them? My clients are not consistently logging onto the network and I am thinking this may have something to do with it. I do not see any errors on AP or ACS when clients fail.

    So you only ever see one machine authentication.
    Do you use the windows wireless client software for client configuration? I do.
    WPA
    TKIP
    PEAP
    Check authenticate as computer when info is available
    Have acs server and certificate authority entered
    Enable fast reconnect (client and server)
    Automatically use windows login information.
    I have the autologon setup so once the client boots up the information is passed to the wireless client to the radius server.
    How is the SSID configured on the AP?
    I have the TKIP cipher selected for encryption
    I have OPEN with EAP, NETWORK EAP selected
    I select KEY Exchange mandatory, CCKM and WPA.
    Any information on your particular setup would be appreciated.

  • Machine authentication on WPA2 PEAP-MSCHAPv2 wireless network

    Is there anyway to setup machine authentication on Leopard or Snow Leopard associating the device to a WPA2 Enterprise wireless network using PEAP with MSCHAPv2

    In Snow Leopard open Network preferences and select the Airport port then click on the Advanced button. Click on the 802.1X tab where you should find what you want.

  • Machine authentication is a little slow causing logon script to fail

    using:
    - Windows Zero with PEAP
    - Machine authentication only (AuthMode is set to 2 in the registry)
    - PCs are loginning it automatically, so it's a fast process
    It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
    If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
    Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connect

    It's a common issue when authentication takes time.
    You can simply delay the logon scripts.
    This is an example of waiting for network to be up by pinging 10.10.10.10
    Only when network is up, then it will execute the script
    :CHECK
    @echo off
    echo Please wait....
    ping -n 1 -l 1 10.10.10.10
    if errorlevel 1 goto CHECK
    @echo on
    # Now the actual Logon script:
    net use L: \\fileserver\share
    Note: Modify the script in accordance with the network topology.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • CSSC with machine authentication in Ms AD

    I need to set the CSSC able to run a machine authetication. My need is to be able to run scripts logon to AD.
    In NEtwork Connection Type i select the machine and user connection option, machine and user auth Method EAP-PEAP and machine identity default, machine credential "use machine credential".
    Event on IAS is:
    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 3/19/2008
    Time: 11:49:37 AM
    User: N / A
    Computers: xxxx
    Description:
    User host / anonymous was denied access.
    Fully-Qualified-User-Name = MYDOMAIN \ host / anonymous
    NAS-IP-Address = x.x.x.x
    NAS-Identifier = WLC_AP
    Called-Station-Identifier =
    Calling-Station-Identifier =
    Client-Friendly-Name = wlc_ap
    Client-IP-Address = x.x.x.x
    NAS-Port-Type = 19
    NAS-Port = 1
    Policy-Name = <undetermined>
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 8
    Reason = The specified user does not exist.
    The CSSC put MYDOMAIN (correct) and \host / anonymous (not correct) WHY?
    How can I configure the CSSC part of the machine and user credentials credentials ?
    Thanks.
    Mirko Severi

    Hi,
    You will need o be more specific so we can help you.
    What exactly is happening/not working?
    Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
    Is your PC doing machine authentication?
    HTH,
    Tiag
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Only machine authentication in ISE

    Hello,
    I would like to know is it possible to have only machine authentication (No user auth at all) in ISE infrastructure. If yes then what credential need to be provide at the time of 802.1X auth login or there is no need to provide any credential and workstation automatically passed authentication process.
    Thanks in advanced

    Hi,
    Yes but you will need to use your normal login credentials and set every supplicant to do computer authentication only. Keep in mind most windows supplicant only do machine authentications at certain times.
    Keep in mind you can do machine and user auth and build policies such that only users on authenticated machines are granted access.
    Sent from Cisco Technical Support iPad App

  • Machine authentication not working with peap mschapv2

    I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
    TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
    AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
    AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
    AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
    AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
    AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
    AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
    AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
    AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
    AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
    AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
    AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
    AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
    AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
    AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
    AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
    AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
    AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
    AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
    AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
    If anyone can shed some light on this.
    Cheers,
    Andy

  • Machine authentication with Windows 7

    Version: ISE 1.2p12
    Hello,
    I'm doing user and machine authentication with ISE.
    I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
    Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
    Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
    If I disable and enable again the network card of that windows machine it works.
    Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
    Thank you

    Hi Mika. My comments below:
    a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
    NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
    b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
    NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
    z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
    NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
    https://tools.ietf.org/html/rfc7170
    Thank you for rating helpful posts!

  • Machine authentication over Client IPSEC tunnel

    I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
    I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
    What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.
    Thanks,
    Ron

    I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
    But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
    I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

Maybe you are looking for