Machine authentication is a little slow causing logon script to fail

Similar Messages

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• IMac a little slow on start up

  my iMac is a little slow lately and that had never happened before.
  I am running OS X Yosemite  and I have 1.68 TB free of 2TB
  I do not think it should be slow.
  Slow when it has been sleeping and I come home and touch the pad and it takes a while for it to wake up.
  It takes a while for it to let me enter my password.
  Why could this be happening?

  EtreCheck version: 2.1.5 (108)
  Report generated January 9, 2015 at 8:26:53 PM EST
  Click the [Support] links for help with non-Apple products.
  Click the [Details] links for more information about that line.
  Click the [Adware] links for help removing adware.
  Hardware Information: ℹ️
    iMac (21.5-inch, Mid 2011) (Verified)
    iMac - model: iMac12,1
    1 2.8 GHz Intel Core i7 CPU: 4-core
    8 GB RAM Upgradeable
    BANK 0/DIMM0
    4 GB DDR3 1333 MHz ok
    BANK 1/DIMM0
    4 GB DDR3 1333 MHz ok
    BANK 0/DIMM1
    empty empty empty empty
    BANK 1/DIMM1
    empty empty empty empty
    Bluetooth: Old - Handoff/Airdrop2 not supported
    Wireless:  en1: 802.11 a/b/g/n
  Video Information: ℹ️
    AMD Radeon HD 6770M - VRAM: 512 MB
    iMac 1920 x 1080
  System Software: ℹ️
    OS X 10.10.1 (14B25) - Uptime: 38 days 2:28:52
  Disk Information: ℹ️
    Hitachi HDS723020BLA642 disk0 : (2 TB)
    EFI (disk0s1) <not mounted> : 210 MB
    Macintosh HD (disk0s2) / : 2.00 TB (1.68 TB free)
    Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB
    HL-DT-STDVDRW  GA32N 
  USB Information: ℹ️
    HP Deskjet 3050A J611 series
    Apple Internal Memory Card Reader
    Apple Computer, Inc. IR Receiver
    Apple Inc. FaceTime HD Camera (Built-in)
    Apple Inc. BRCM2046 Hub
    Apple Inc. Bluetooth USB Host Controller
  Thunderbolt Information: ℹ️
    Apple Inc. thunderbolt_bus
  Gatekeeper: ℹ️
    Mac App Store and identified developers
  Problem System Launch Agents: ℹ️
    [killed] com.apple.CallHistoryPluginHelper.plist
    [killed] com.apple.cmfsyncagent.plist
    [killed] com.apple.spindump_agent.plist
    3 processes killed due to memory pressure
  Problem System Launch Daemons: ℹ️
    [killed] com.apple.ctkd.plist
    [killed] com.apple.emond.aslmanager.plist
    [killed] com.apple.nehelper.plist
    [killed] com.apple.periodic-weekly.plist
    [killed] com.apple.tccd.system.plist
    [killed] com.apple.wdhelper.plist
    6 processes killed due to memory pressure
  Launch Agents: ℹ️
    [invalid?] com.teamviewer.teamviewer.plist [Support]
    [invalid?] com.teamviewer.teamviewer_desktop.plist [Support]
  Launch Daemons: ℹ️
    [loaded] com.adobe.fpsaud.plist [Support]
    [loaded] com.microsoft.office.licensing.helper.plist [Support]
    [invalid?] com.teamviewer.teamviewer_service.plist [Support]
  User Launch Agents: ℹ️
    [loaded] com.adobe.ARM.[...].plist [Support]
  User Login Items: ℹ️
    iTunesHelper ApplicationHidden (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)
    Adobe Reader Application (/Applications/Adobe Reader.app)
    AdobeResourceSynchronizer ApplicationHidden (/Applications/Adobe Reader.app/Contents/Support/AdobeResourceSynchronizer.app)
    Mail Application (/Applications/Mail.app)
    Install Adobe Flash Player Application (/Volumes/Adobe Flash Player Installer/Install Adobe Flash Player.app)
  Internet Plug-ins: ℹ️
    FlashPlayer-10.6: Version: 15.0.0.246 - SDK 10.6 [Support]
    QuickTime Plugin: Version: 7.7.3
    AdobePDFViewerNPAPI: Version: 11.0.10 - SDK 10.6 [Support]
    AdobePDFViewer: Version: 11.0.10 - SDK 10.6 [Support]
    Flash Player: Version: 15.0.0.246 - SDK 10.6 Mismatch! Adobe recommends 16.0.0.235
    Default Browser: Version: 600 - SDK 10.10
    SharePointBrowserPlugin: Version: 14.0.0 [Support]
    Silverlight: Version: 5.1.10411.0 - SDK 10.6 [Support]
  3rd Party Preference Panes: ℹ️
    Flash Player  [Support]
  Time Machine: ℹ️
    Skip System Files: NO
    Auto backup: YES
    Volumes being backed up:
    Macintosh HD: Disk size: 2.00 TB Disk used: 323.94 GB
    Destinations:
    My Passport for Mac [Local]
    Total size: 2.00 TB
    Total number of backups: 7
    Oldest backup: 2014-08-19 00:26:04 +0000
    Last backup: 2015-01-09 23:29:57 +0000
    Size of backup disk: Adequate
    Backup size 2.00 TB > (Disk used 323.94 GB X 3)
  Top Processes by CPU: ℹ️
        16% mds
        4% WindowServer
        0% fontd
        0% Microsoft Word
        0% AppleSpell
  Top Processes by Memory: ℹ️
    180 MB com.apple.WebKit.WebContent
    163 MB softwareupdated
    155 MB mds_stores
    137 MB Image Capture Extension
    94 MB AdobeReader
  Virtual Memory Information: ℹ️
    3.17 GB Free RAM
    2.74 GB Active RAM
    961 MB Inactive RAM
    1.15 GB Wired RAM
    60.87 GB Page-ins
    663 MB Page-outs
  Diagnostics Information: ℹ️
    Jan 9, 2015, 05:25:37 PM /Library/Logs/DiagnosticReports/iTunes_2015-01-09-172537_[redacted].cpu_resourc e.diag [Details]
    Jan 8, 2015, 05:21:12 PM /Library/Logs/DiagnosticReports/???_2015-01-08-172112_[redacted].cpu_resource.d iag [Details]

• Machine authentication using certificates

  Hi,
  I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
  Any help??
  Thanks in advance.

  Hi [answers are inline]
  I  have tried using Cisco Anyconnect NAM on Wondows XP for machine and  user authentication but EAP-chaining feature is not working as expected.  I am facing few challenges. I have configured NAM to use eap-fast for  machine and user authentication and ISE is configured with required  authorisation rule and profiles/results. when machine boots up it sends  machine certificate and gets authenticated against AD and ISE matches  the authorisation rule and assigns authZ profile without waiting for  user credentials.
  This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
  Now when a user logs on using AD user/pass,  authentication fails as the VLAN assigned in AuthZ profile does not have  access to AD. ISE should actually check with their external database  but Its not.
  Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
  Note the section below:
  –Before  User Logon—Connect to the network before the user logs on. The user  logon types that are supported include user account (Kerberos)  authentication, loading of user GPOs, and GPO-based logon script  execution.
  If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
  Time to Wait Before Allowing User to Logon—Specifies the maximum (worst  case) number of seconds to wait for the Network Access Manager to make a  complete network connection. If a network connection cannot be  established within this time, the Windows logon process continues with  user log on. The default is 5 seconds.
  Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to  establish a wireless connection. You must also account for the time  required to obtain an IP address via DHCP. If two or more network  profiles are configured, you may want to increase the value to cover two  or more connection attempts.
  You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
  Interestingly, if I login with an AD user which is local to  the machine its gets authenticated and gets correct AuthZ  profile/access level. If I logoff and login with different user, Windows  adapter gets IP address and ISE shows successful authentication /authz  profile but NAM agent prompts limited connectivity. Any help??
  Please make the changes above and see if the error message goes away.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Machine Authentication

  Currently my clients (XP/SP2/latest MS hotfix) are logging onto the wireless network using WPA/TKIP/PEAP. They are configured for both machine authentication (needed to download correct profile from server) and user authentication. I notice that for each logon there are multiple machine authentications showing up in the ACS (anywhere from 3 - 15) This varies and is random. Anyone know why I am seeing this many machine authentications and if there is something I can do to eliminate them? My clients are not consistently logging onto the network and I am thinking this may have something to do with it. I do not see any errors on AP or ACS when clients fail.

  So you only ever see one machine authentication.
  Do you use the windows wireless client software for client configuration? I do.
  WPA
  TKIP
  PEAP
  Check authenticate as computer when info is available
  Have acs server and certificate authority entered
  Enable fast reconnect (client and server)
  Automatically use windows login information.
  I have the autologon setup so once the client boots up the information is passed to the wireless client to the radius server.
  How is the SSID configured on the AP?
  I have the TKIP cipher selected for encryption
  I have OPEN with EAP, NETWORK EAP selected
  I select KEY Exchange mandatory, CCKM and WPA.
  Any information on your particular setup would be appreciated.

• CSSC with machine authentication in Ms AD

  I need to set the CSSC able to run a machine authetication. My need is to be able to run scripts logon to AD.
  In NEtwork Connection Type i select the machine and user connection option, machine and user auth Method EAP-PEAP and machine identity default, machine credential "use machine credential".
  Event on IAS is:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 3/19/2008
  Time: 11:49:37 AM
  User: N / A
  Computers: xxxx
  Description:
  User host / anonymous was denied access.
  Fully-Qualified-User-Name = MYDOMAIN \ host / anonymous
  NAS-IP-Address = x.x.x.x
  NAS-Identifier = WLC_AP
  Called-Station-Identifier =
  Calling-Station-Identifier =
  Client-Friendly-Name = wlc_ap
  Client-IP-Address = x.x.x.x
  NAS-Port-Type = 19
  NAS-Port = 1
  Policy-Name = <undetermined>
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 8
  Reason = The specified user does not exist.
  The CSSC put MYDOMAIN (correct) and \host / anonymous (not correct) WHY?
  How can I configure the CSSC part of the machine and user credentials credentials ?
  Thanks.
  Mirko Severi

  Hi,
  You will need o be more specific so we can help you.
  What exactly is happening/not working?
  Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
  Is your PC doing machine authentication?
  HTH,
  Tiag
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

• Cisco ISE Machine failed machine authentication

  Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.
  We have a rule that says :
  1) User is domain user.
  2) Machine is authenticated.
  But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.
  This is the message I found in the "steps"
  24423     ISE has not been able to confirm previous successful machine authentication for user in Active Directory
  I was wondering if I could force something on the controller or on ISE directly.
  EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.
  Would I be able to force this as a step in my other rule.

  Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.
  Failure Reason
  15039 Rejected per authorization profile
  Resolution
  Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
  Steps
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  11507
  Extracted EAP-Response/Identity
  12300
  Prepared EAP-Request proposing PEAP with challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12302
  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318
  Successfully negotiated PEAP version 0
  12800
  Extracted first TLS record; TLS handshake started
  12805
  Extracted TLS ClientHello message
  12806
  Prepared TLS ServerHello message
  12807
  Prepared TLS Certificate message
  12810
  Prepared TLS ServerDone message
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12318
  Successfully negotiated PEAP version 0
  12812
  Extracted TLS ClientKeyExchange message
  12804
  Extracted TLS Finished message
  12801
  Prepared TLS ChangeCipherSpec message
  12802
  Prepared TLS Finished message
  12816
  TLS handshake succeeded
  12310
  PEAP full handshake finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12313
  PEAP inner method started
  11521
  Prepared EAP-Request/Identity for inner EAP method
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11522
  Extracted EAP-Response/Identity for inner EAP method
  11806
  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11808
  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041
  Evaluating Identity Policy
  15006
  Matched Default Rule
  15013
  Selected Identity Source - IdentityStore_AD_liadom01
  24430
  Authenticating user against Active Directory
  24402
  User authentication against Active Directory succeeded
  22037
  Authentication Passed
  11824
  EAP-MSCHAP authentication attempt passed
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11810
  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814
  Inner EAP-MSCHAP authentication succeeded
  11519
  Prepared EAP-Success for inner EAP method
  12314
  PEAP inner method finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  24423
  ISE has not been able to confirm previous successful machine authentication for user in Active Directory
  15036
  Evaluating Authorization Policy
  24432
  Looking up user in Active Directory - LIADOM01\lidoex
  24416
  User's Groups retrieval from Active Directory succeeded
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule - AuthZBlock_DOT1X
  15016
  Selected Authorization Profile - DenyAccess
  15039
  Rejected per authorization profile
  12306
  PEAP authentication succeeded
  11503
  Prepared EAP-Success
  11003
  Returned RADIUS Access-Reject
  Edit : I found a couple of these :
  Event
  5400 Authentication failed
  Failure Reason
  24485 Machine authentication against Active Directory has failed because of wrong password
  Resolution
  Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
  Root cause
  Machine authentication against Active Directory has failed because of wrong password.
  Username
  host/MachineName
  I also have an alarming number of : Misconfigured Supplicant Detected(3714)

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• Eap-tls wireless machine authentication without AD

  Hi all,
  I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
  I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
  With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
  but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
  My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
  Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
  Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
  Thanks for your help,

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• Anyconnect 802.1x - "switch user" is blocked in machine authentication

  hi all,
  I know this is not a bug its a feature
  that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
  however
  I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
  Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
  for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
  or maybe there is already some trick/configuration step that I missed and it can be done?
  regards
  Przemek

  hi all,
  I know this is not a bug its a feature
  that anyconnect blocks user switching disallowing the computer to have them both logged in. Its desirable and understandable
  however
  I have an environment where I use only machine authentication and remote helpdesk needs to connect to these machines using some application then they "switch user" to do their tasks (its important not to logoff cause there are some transactions in the background ...)
  Is there any chance that the new version of anyconnect will have this feature (maybe its already planned on the roadmap ? )
  for machine authentication there should be a checkbox for profile administrator to "allow/disallow users to switch"
  or maybe there is already some trick/configuration step that I missed and it can be done?
  regards
  Przemek

• PEAP & ACS & machine authentication

  OK, here's the issue :
  Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
  ACS SE 4.0 and a second ACS SE with 4.1
  Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
  Machine authentication not working. i.e. a user can't logon until they've previously logged on.
  Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
  Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
  ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
  Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
  Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
  Help, someone, help...

  This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
  I referred to this document on MS's site:
  http://www.microsoft.com/technet/network/wifi/ed80211.mspx
  Plus probably the same document you were using from CCO.
  I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
  You don't need to use the Cisco supplicant.
  HTH
  Andy

• Need help troubleshooting Machine Authentication...

  Greetings-
  I am having an issue with getting machine authentication to work.
  I have:
  Windows Server 2003 with AD, certificate services, and IAS installed.
  Windows XP client - SP2 with WPA MS fixes. Installed machine cert from CA.
  4400 controller with 4.1x code. RADIUS is configured correctly.
  When I use PEAP, the client associates.
  When I select "use machine account..." option I don't see anything happen on the client or server that would indicate that machine authentication was attempting.
  Any ideas where to start? Could this be an issue with certificates on the client?
  Thanks!

  Thanks, I had seen that doc...
  I was using machine certs to authenticate. My problem turned out to be the fact that it is required that one adds two registry entries to make the computer authenticate as required. Below are the dword entries. They change the behavior of the supplicant. One tells the system to do Machine auth. Without it (on XP sp2), the client will never try to authenticate prior to user logon. The other controls the authentication behavior upon user logon. By default, the client wants to do PEAP once a user logs on.
  HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode (
  HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode