Machine authentication is a little slow causing logon script to fail
using:
- Windows Zero with PEAP
- Machine authentication only (AuthMode is set to 2 in the registry)
- PCs are loginning it automatically, so it's a fast process
It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connect
It's a common issue when authentication takes time.
You can simply delay the logon scripts.
This is an example of waiting for network to be up by pinging 10.10.10.10
Only when network is up, then it will execute the script
:CHECK
@echo off
echo Please wait....
ping -n 1 -l 1 10.10.10.10
if errorlevel 1 goto CHECK
@echo on
# Now the actual Logon script:
net use L: \\fileserver\share
Note: Modify the script in accordance with the network topology.
Nicolas
===
Don't forget to rate answers that you find useful
Similar Messages
-
Machine authentication with Windows 7
Version: ISE 1.2p12
Hello,
I'm doing user and machine authentication with ISE.
I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
If I disable and enable again the network card of that windows machine it works.
Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
Thank youHi Mika. My comments below:
a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
https://tools.ietf.org/html/rfc7170
Thank you for rating helpful posts! -
IMac a little slow on start up
my iMac is a little slow lately and that had never happened before.
I am running OS X Yosemite and I have 1.68 TB free of 2TB
I do not think it should be slow.
Slow when it has been sleeping and I come home and touch the pad and it takes a while for it to wake up.
It takes a while for it to let me enter my password.
Why could this be happening?EtreCheck version: 2.1.5 (108)
Report generated January 9, 2015 at 8:26:53 PM EST
Click the [Support] links for help with non-Apple products.
Click the [Details] links for more information about that line.
Click the [Adware] links for help removing adware.
Hardware Information: ℹ️
iMac (21.5-inch, Mid 2011) (Verified)
iMac - model: iMac12,1
1 2.8 GHz Intel Core i7 CPU: 4-core
8 GB RAM Upgradeable
BANK 0/DIMM0
4 GB DDR3 1333 MHz ok
BANK 1/DIMM0
4 GB DDR3 1333 MHz ok
BANK 0/DIMM1
empty empty empty empty
BANK 1/DIMM1
empty empty empty empty
Bluetooth: Old - Handoff/Airdrop2 not supported
Wireless: en1: 802.11 a/b/g/n
Video Information: ℹ️
AMD Radeon HD 6770M - VRAM: 512 MB
iMac 1920 x 1080
System Software: ℹ️
OS X 10.10.1 (14B25) - Uptime: 38 days 2:28:52
Disk Information: ℹ️
Hitachi HDS723020BLA642 disk0 : (2 TB)
EFI (disk0s1) <not mounted> : 210 MB
Macintosh HD (disk0s2) / : 2.00 TB (1.68 TB free)
Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB
HL-DT-STDVDRW GA32N
USB Information: ℹ️
HP Deskjet 3050A J611 series
Apple Internal Memory Card Reader
Apple Computer, Inc. IR Receiver
Apple Inc. FaceTime HD Camera (Built-in)
Apple Inc. BRCM2046 Hub
Apple Inc. Bluetooth USB Host Controller
Thunderbolt Information: ℹ️
Apple Inc. thunderbolt_bus
Gatekeeper: ℹ️
Mac App Store and identified developers
Problem System Launch Agents: ℹ️
[killed] com.apple.CallHistoryPluginHelper.plist
[killed] com.apple.cmfsyncagent.plist
[killed] com.apple.spindump_agent.plist
3 processes killed due to memory pressure
Problem System Launch Daemons: ℹ️
[killed] com.apple.ctkd.plist
[killed] com.apple.emond.aslmanager.plist
[killed] com.apple.nehelper.plist
[killed] com.apple.periodic-weekly.plist
[killed] com.apple.tccd.system.plist
[killed] com.apple.wdhelper.plist
6 processes killed due to memory pressure
Launch Agents: ℹ️
[invalid?] com.teamviewer.teamviewer.plist [Support]
[invalid?] com.teamviewer.teamviewer_desktop.plist [Support]
Launch Daemons: ℹ️
[loaded] com.adobe.fpsaud.plist [Support]
[loaded] com.microsoft.office.licensing.helper.plist [Support]
[invalid?] com.teamviewer.teamviewer_service.plist [Support]
User Launch Agents: ℹ️
[loaded] com.adobe.ARM.[...].plist [Support]
User Login Items: ℹ️
iTunesHelper ApplicationHidden (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)
Adobe Reader Application (/Applications/Adobe Reader.app)
AdobeResourceSynchronizer ApplicationHidden (/Applications/Adobe Reader.app/Contents/Support/AdobeResourceSynchronizer.app)
Mail Application (/Applications/Mail.app)
Install Adobe Flash Player Application (/Volumes/Adobe Flash Player Installer/Install Adobe Flash Player.app)
Internet Plug-ins: ℹ️
FlashPlayer-10.6: Version: 15.0.0.246 - SDK 10.6 [Support]
QuickTime Plugin: Version: 7.7.3
AdobePDFViewerNPAPI: Version: 11.0.10 - SDK 10.6 [Support]
AdobePDFViewer: Version: 11.0.10 - SDK 10.6 [Support]
Flash Player: Version: 15.0.0.246 - SDK 10.6 Mismatch! Adobe recommends 16.0.0.235
Default Browser: Version: 600 - SDK 10.10
SharePointBrowserPlugin: Version: 14.0.0 [Support]
Silverlight: Version: 5.1.10411.0 - SDK 10.6 [Support]
3rd Party Preference Panes: ℹ️
Flash Player [Support]
Time Machine: ℹ️
Skip System Files: NO
Auto backup: YES
Volumes being backed up:
Macintosh HD: Disk size: 2.00 TB Disk used: 323.94 GB
Destinations:
My Passport for Mac [Local]
Total size: 2.00 TB
Total number of backups: 7
Oldest backup: 2014-08-19 00:26:04 +0000
Last backup: 2015-01-09 23:29:57 +0000
Size of backup disk: Adequate
Backup size 2.00 TB > (Disk used 323.94 GB X 3)
Top Processes by CPU: ℹ️
16% mds
4% WindowServer
0% fontd
0% Microsoft Word
0% AppleSpell
Top Processes by Memory: ℹ️
180 MB com.apple.WebKit.WebContent
163 MB softwareupdated
155 MB mds_stores
137 MB Image Capture Extension
94 MB AdobeReader
Virtual Memory Information: ℹ️
3.17 GB Free RAM
2.74 GB Active RAM
961 MB Inactive RAM
1.15 GB Wired RAM
60.87 GB Page-ins
663 MB Page-outs
Diagnostics Information: ℹ️
Jan 9, 2015, 05:25:37 PM /Library/Logs/DiagnosticReports/iTunes_2015-01-09-172537_[redacted].cpu_resourc e.diag [Details]
Jan 8, 2015, 05:21:12 PM /Library/Logs/DiagnosticReports/???_2015-01-08-172112_[redacted].cpu_resource.d iag [Details] -
Machine authentication using certificates
Hi,
I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
Any help??
Thanks in advance.Hi [answers are inline]
I have tried using Cisco Anyconnect NAM on Wondows XP for machine and user authentication but EAP-chaining feature is not working as expected. I am facing few challenges. I have configured NAM to use eap-fast for machine and user authentication and ISE is configured with required authorisation rule and profiles/results. when machine boots up it sends machine certificate and gets authenticated against AD and ISE matches the authorisation rule and assigns authZ profile without waiting for user credentials.
This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
Now when a user logs on using AD user/pass, authentication fails as the VLAN assigned in AuthZ profile does not have access to AD. ISE should actually check with their external database but Its not.
Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
Note the section below:
–Before User Logon—Connect to the network before the user logs on. The user logon types that are supported include user account (Kerberos) authentication, loading of user GPOs, and GPO-based logon script execution.
If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
Time to Wait Before Allowing User to Logon—Specifies the maximum (worst case) number of seconds to wait for the Network Access Manager to make a complete network connection. If a network connection cannot be established within this time, the Windows logon process continues with user log on. The default is 5 seconds.
Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to establish a wireless connection. You must also account for the time required to obtain an IP address via DHCP. If two or more network profiles are configured, you may want to increase the value to cover two or more connection attempts.
You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
Interestingly, if I login with an AD user which is local to the machine its gets authenticated and gets correct AuthZ profile/access level. If I logoff and login with different user, Windows adapter gets IP address and ISE shows successful authentication /authz profile but NAM agent prompts limited connectivity. Any help??
Please make the changes above and see if the error message goes away.
Thanks,
Tarik Admani
*Please rate helpful posts* -
Currently my clients (XP/SP2/latest MS hotfix) are logging onto the wireless network using WPA/TKIP/PEAP. They are configured for both machine authentication (needed to download correct profile from server) and user authentication. I notice that for each logon there are multiple machine authentications showing up in the ACS (anywhere from 3 - 15) This varies and is random. Anyone know why I am seeing this many machine authentications and if there is something I can do to eliminate them? My clients are not consistently logging onto the network and I am thinking this may have something to do with it. I do not see any errors on AP or ACS when clients fail.
So you only ever see one machine authentication.
Do you use the windows wireless client software for client configuration? I do.
WPA
TKIP
PEAP
Check authenticate as computer when info is available
Have acs server and certificate authority entered
Enable fast reconnect (client and server)
Automatically use windows login information.
I have the autologon setup so once the client boots up the information is passed to the wireless client to the radius server.
How is the SSID configured on the AP?
I have the TKIP cipher selected for encryption
I have OPEN with EAP, NETWORK EAP selected
I select KEY Exchange mandatory, CCKM and WPA.
Any information on your particular setup would be appreciated. -
CSSC with machine authentication in Ms AD
I need to set the CSSC able to run a machine authetication. My need is to be able to run scripts logon to AD.
In NEtwork Connection Type i select the machine and user connection option, machine and user auth Method EAP-PEAP and machine identity default, machine credential "use machine credential".
Event on IAS is:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 3/19/2008
Time: 11:49:37 AM
User: N / A
Computers: xxxx
Description:
User host / anonymous was denied access.
Fully-Qualified-User-Name = MYDOMAIN \ host / anonymous
NAS-IP-Address = x.x.x.x
NAS-Identifier = WLC_AP
Called-Station-Identifier =
Calling-Station-Identifier =
Client-Friendly-Name = wlc_ap
Client-IP-Address = x.x.x.x
NAS-Port-Type = 19
NAS-Port = 1
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user does not exist.
The CSSC put MYDOMAIN (correct) and \host / anonymous (not correct) WHY?
How can I configure the CSSC part of the machine and user credentials credentials ?
Thanks.
Mirko SeveriHi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
AD Machine Authentication with Cisco ISE problem
Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy. -
Cisco ISE Machine failed machine authentication
Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.
We have a rule that says :
1) User is domain user.
2) Machine is authenticated.
But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.
This is the message I found in the "steps"
24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory
I was wondering if I could force something on the controller or on ISE directly.
EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.
Would I be able to force this as a step in my other rule.Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.
Failure Reason
15039 Rejected per authorization profile
Resolution
Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Steps
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12300
Prepared EAP-Request proposing PEAP with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12318
Successfully negotiated PEAP version 0
12812
Extracted TLS ClientKeyExchange message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12310
PEAP full handshake finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12313
PEAP inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - IdentityStore_AD_liadom01
24430
Authenticating user against Active Directory
24402
User authentication against Active Directory succeeded
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12314
PEAP inner method finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
24423
ISE has not been able to confirm previous successful machine authentication for user in Active Directory
15036
Evaluating Authorization Policy
24432
Looking up user in Active Directory - LIADOM01\lidoex
24416
User's Groups retrieval from Active Directory succeeded
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - AuthZBlock_DOT1X
15016
Selected Authorization Profile - DenyAccess
15039
Rejected per authorization profile
12306
PEAP authentication succeeded
11503
Prepared EAP-Success
11003
Returned RADIUS Access-Reject
Edit : I found a couple of these :
Event
5400 Authentication failed
Failure Reason
24485 Machine authentication against Active Directory has failed because of wrong password
Resolution
Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
Root cause
Machine authentication against Active Directory has failed because of wrong password.
Username
host/MachineName
I also have an alarming number of : Misconfigured Supplicant Detected(3714) -
Mac & 802.1x Machine Authentication to Microsoft AD using PEAP
We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
Glad you found resolution with a later version of the OS.
Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400 -
Machine authentication with MAR and ACS - revisited
I'm wondering if anyone else has overcame the issue I'm about to describe.
The scenario:
We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
The passed authentications log does successfully show the machines authenticating.
The challege:
We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails. If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication. As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
Has anyone seen / over come this ?
Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).Here's the only thing I could find on extending the schema (I'm not a schema expert):
http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both. However, your RADIUS (ACS) server should have a certificate that the clients trust. You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours. Get a cert/certs for your RADIUS server(s).
You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2. Earlier versions may not work the same way). Your comment about what you're testing is confusing me. Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS). Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network. Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network. Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS). You should not need PEAP and EAP-TLS together. Both are used for the same purpose: 802.1X authentication for network access. PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials. You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access. I wish I could explain this better... -
Eap-tls wireless machine authentication without AD
Hi all,
I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
Thanks for your help,Assuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan -
Machine authentication by certificate and windows domain checking
Hi,
We intend to deploy machine?s certificate authentication for wifi users.
We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
We intend to use EAP-TLS :
- One CA server.
- each machine (laptop) retrieves its own certificate from GPO or SMS
- the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
- ACS version is the appliance one
- one ACS remote agent installed on the A.D.
- when a user intends to log on the wifi network :
- the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
- the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
Am I right about these previous points ?
And then my question is : is it possible to check that the machine is also included in the windows domain ?
That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
Thanks in advance for your attention.
Best Regards,
ArnaudHi Prem,
Thanks for these inputs.
I've passed the logs details to full, performed other tests and retrieved the package.cab.
I've started investigating the 2 log files you pointed.
First, we can see that the requests reach the ACS, so that's a good point.
Then, I'm not sure how to understand the messages.
In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
But I'm not sure this NAP problem to be the root cause of my problem.
And when no NAP is matched, then the default action should accept.
We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
I don't know what CSDB is.
I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
I copy below an extract of the auth.log.
I also attach parts of auth.log and RDS.log.
If you have any ideas or advices ?
Thanks in advance for your attention.
Best Regards,
Arnaud
AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046 -
Anyconnect 802.1x - "switch user" is blocked in machine authentication
hi all,
I know this is not a bug its a feature
that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
however
I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
or maybe there is already some trick/configuration step that I missed and it can be done?
regards
Przemekhi all,
I know this is not a bug its a feature
that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
however
I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
or maybe there is already some trick/configuration step that I missed and it can be done?
regards
Przemek -
PEAP & ACS & machine authentication
OK, here's the issue :
Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
ACS SE 4.0 and a second ACS SE with 4.1
Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
Machine authentication not working. i.e. a user can't logon until they've previously logged on.
Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
Help, someone, help...This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
I referred to this document on MS's site:
http://www.microsoft.com/technet/network/wifi/ed80211.mspx
Plus probably the same document you were using from CCO.
I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
You don't need to use the Cisco supplicant.
HTH
Andy -
Need help troubleshooting Machine Authentication...
Greetings-
I am having an issue with getting machine authentication to work.
I have:
Windows Server 2003 with AD, certificate services, and IAS installed.
Windows XP client - SP2 with WPA MS fixes. Installed machine cert from CA.
4400 controller with 4.1x code. RADIUS is configured correctly.
When I use PEAP, the client associates.
When I select "use machine account..." option I don't see anything happen on the client or server that would indicate that machine authentication was attempting.
Any ideas where to start? Could this be an issue with certificates on the client?
Thanks!Thanks, I had seen that doc...
I was using machine certs to authenticate. My problem turned out to be the fact that it is required that one adds two registry entries to make the computer authenticate as required. Below are the dword entries. They change the behavior of the supplicant. One tells the system to do Machine auth. Without it (on XP sp2), the client will never try to authenticate prior to user logon. The other controls the authentication behavior upon user logon. By default, the client wants to do PEAP once a user logs on.
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode (
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
Maybe you are looking for
-
Diffrence between Codec C40 Premium Resolution Option & Multisite MS Option & Dual Display Option
What is the difference between Codec C40 Premium Resolution Option LIC-C40-PR Codec C40 Multisite MS Option LIC-C40-MS Codec C40 Dual Display Option LIC-C40-DD
-
Running an automator workflow w/o opening automator
Is it possible to run an automator workflow - (check addressbook for birthdays - then send a card) once a day without having to remember to open automator everyday (the whole point is I forget to do this in the first place, so I'm hoping automator ca
-
Low battery warning. (cross post)
at what percent do you usually get this warning at? on my iBook i would get it at 4% but now on my MB i get it at 8% and when it drained to 0 my MB shut off and didnt go to sleep? is that normal?
-
Time stamps to string with seconds
Good Day Im writing a program for my DAQ system. Its required that my data is saved with hours, mins and secs. The get date/time string VI seems to only output a string with the date and with hours and minutes. How would I include the seconds into t
-
Turn off accelerometer in itunes?
I run 4-6 miles daily with my iphone. When the phone bounces around sometimes I get the landscape display for my song list and have to flip through album covers. I would like I tunes to stay vertical, so I can use the arrows to go back and forth inst