Machine authentication is being used...

Similar Messages

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• How does time machine work when being used with a mac pro?

  How does time machine work when backing up a mac pro?
  Considering the fact that the mac pro can hold 8TB and a external (non NAS) hard drive can hold only 2TB does time machine only backup the OS disk.

  macnewcomer22 wrote:
  Considering the fact that the mac pro can hold 8TB and a external (non NAS) hard drive can hold only 2TB does time machine only backup the OS disk.
  Time Machine will backup everything by default, on every disk in your Mac.
  Choose System Preferences > Options to exclude items. You could exclude everything except your OS...but I'd think it is your data that's more important to you, if you have to make choices.
  See...
  http://discussions.apple.com/thread.jspa?threadID=1964018
  While it's true you can store almost 8TB, how much do you think you'll actually store? If you have 1TB of data you want to store then a 2TB drive can do it. Also when your TM drive begins to get full it will begin deleting the oldest backups to make room.
  You could also get a Drobo with 8 bays...
  http://www.drobo.com/products/index.php
  -mj

• While deleting the virtual machine .vhd folder -- error msg : the process cannot access the file beacuse it is being used by another process

  When i am trying to delete the Virtual Machine folder/directory i get the below error. Virtual machine is turned off
  V:\>rmdir ME-EXCAS01 /s
  ME-EXCAS01, Are you sure (Y/N)? y
  ME-EXCAS01\ME-EXCAS01\Virtual Machines\1B1FD14E-B3F0-4232-9F96-2A871E879CD6.xml
  - The process cannot access the file because it is being used by another process
  How to delete the whole folder ?
  Thanks

  Also, if your VM has snapshots and you delete it, you must wait for the snapshots to finish merging - the VHD files will be locked until then.
  Brian Ehlert
  http://ITProctology.blogspot.com
  Learn. Apply. Repeat.

• Drive no longer being used by time machine: delete some files?

  Tried unlocking and allowing myself to read and write.  Nope.  Tried holding down the option key.  Nope.
  This drive is no longer being used by time machine and I want to delete some files on it.
  Is there a way to do it without wiping the entire drive?

  nowsthetime wrote:
  It wasnt a dedicated backup and  there's other material on it that I need to keep.
  That's a problem (as you've discovered).  Time Machine works best if it has it's own, exclusive partition.   See Time Machine - Frequently Asked Question #3 for details.
  Aha!  Just found THIS. I'll post if it works. http://www.celiamania.com/wordpress/?p=1038
  That will let you delete individual backups, or all backups of selected items.
  If you don't have room to copy the "other" stuff elsewhere while you erase the disk, you can delete the Backups.backupdb folder.  Emptying the trash will take a very long time, and may give you permissions and/or locked file problems.  If so, see #E6 in Time Machine - Troubleshooting.

• HT4848 Is it possible to partition an external hard drive that is already being used for Time Machine backups without it being erased?

  I'm want to use my current external hard drive, which I use for Time Machine Backup, as a recovery disk for Mac OS X Mountain Lion 10.8.2. From what I have read, the recovery disk assistant will erase all data on the external drive unless it is partitioned. Can I partition my current backup drive without erasing it, even though it is already being used for Time Machine?

  It's very simple to test.  Turn off your computer.  Have your time machine backup plugged in.  Hold option and turn it on, keeping option held.  Do you see your time machine drive?  If so, select it and press enter. You'll end up in recovery.  If it works, there you go.  Then just click the apple and restart to get back to your regular desktop.  Then you'll know for when you're ready to do the deed.
  Edit...
  I'm not sure if time machine will think it's an entirely different computer, though, when a hard drive changed, making an actual restore not doable.  Either way, you could still reinstall mt lion fresh and then just migrate after, skipping the need for SL.

• Can't update, HD is being used by Time Machine

  I get the message that the Hard Drive can't be used because it's being used by Time Machine. Time Machine is turned off. Following advice on another thread I deleted a TM pref file, restarted, and selected none (which wasn't there previously). I have repaired permissions as well. Any ideas? Thanks.

  progmanjum wrote:
  I have a folder by that name. There is another folder within that and that is empty. Delete and restart?
  yes.

• Machine authentication using certificates

  Hi,
  I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
  Any help??
  Thanks in advance.

  Hi [answers are inline]
  I  have tried using Cisco Anyconnect NAM on Wondows XP for machine and  user authentication but EAP-chaining feature is not working as expected.  I am facing few challenges. I have configured NAM to use eap-fast for  machine and user authentication and ISE is configured with required  authorisation rule and profiles/results. when machine boots up it sends  machine certificate and gets authenticated against AD and ISE matches  the authorisation rule and assigns authZ profile without waiting for  user credentials.
  This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
  Now when a user logs on using AD user/pass,  authentication fails as the VLAN assigned in AuthZ profile does not have  access to AD. ISE should actually check with their external database  but Its not.
  Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
  Note the section below:
  –Before  User Logon—Connect to the network before the user logs on. The user  logon types that are supported include user account (Kerberos)  authentication, loading of user GPOs, and GPO-based logon script  execution.
  If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
  Time to Wait Before Allowing User to Logon—Specifies the maximum (worst  case) number of seconds to wait for the Network Access Manager to make a  complete network connection. If a network connection cannot be  established within this time, the Windows logon process continues with  user log on. The default is 5 seconds.
  Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to  establish a wireless connection. You must also account for the time  required to obtain an IP address via DHCP. If two or more network  profiles are configured, you may want to increase the value to cover two  or more connection attempts.
  You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
  Interestingly, if I login with an AD user which is local to  the machine its gets authenticated and gets correct AuthZ  profile/access level. If I logoff and login with different user, Windows  adapter gets IP address and ISE shows successful authentication /authz  profile but NAM agent prompts limited connectivity. Any help??
  Please make the changes above and see if the error message goes away.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• How do I prevent my hard drive being used for time machine back ups?

  I want to install Snow Leopard but it tells me that the OS cannot be installed because the disk is being used for Time Machine back ups. I don't recall setting up my hard drive to be used this way (why would I?!) but now I can't seem to

  Did you have TM turned on at any time? If so, and if you had no external hard drive attached, could it be that it created its own backup on a portion of your hard drive? I don't use TM, but I believe I read that this may be possible. Take a look at Disk Utility (Applications > Utilities) and report what you see on the left - under the top heading, is there more than one partition showing, such as here:
  (I have two partitions: one for Snow Leopard, the other for Lion) - what does yours show?

• Providing external url for the fqdn for webfeed returns error in eventlog that shows internal url is being used - how to change to the external url?

  I've got my Rdweb accessible on both my internal and external network by using split dns locally to resolve the external url (remote.domain.com/rdweb) to resolve and everything works fine. However users don't want to use the rdweb interface (as it is slower
  than just clicking on a rdp shortcut.
  Following the notes at http://social.technet.microsoft.com/wiki/contents/articles/14488.distribution-of-remote-apps-and-desktops-in-windows-server-2012.aspx - I've tried to set up the webfeed on a Win7+ machine but when I enter the external url that
  is protected by an SSL cert the eventlog shows that the internal address is being used and it doesn't match the certificate. - "There is a problem with this connection's security certificate.
  The remote computer cannot be authenticated due to problems with its security certificate.                        
  Security certificate problems might indicate an attempt to fool you or intercept data you send to the remote computer.                       
  Windows cannot continue setting up this connection. Contact your workplace administrator for assistance.                         
  Connection name:
  Connection URL: https://internalservername/rdweb/feed/webfeed.aspx
  How do I set the servers to use the external address rather than the internal one - i'm assuming it's similar to exchange's
  Set-webservicesvirtualdirectory command but I can't find the equivalent command documented anywhere.
  http://absoblogginlutely.net

  Hi,
  Thank you for posting in Windows Server Forum.
  Please check below mention point. 
  •  Create a relevant DNS entry in the mentioned zone to point to the RDS environment’s internal IP address
  •  Create a relevant DNS entry in external DNS to point to the firewall which is publishing RDS’s external IP address
  •  You can use the below mention script to change the FQDN of the RDP files provided by RD Web Access / RemoteApp and Desktop connection feed. 
  Change published FQDN for Server 2012 or 2012 R2 RDS Deployment
  http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80
  In addition please check below mention thread.
  How do I change the URL to the Remote Web Access server in Windows Server 2012?
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/67dfab70-7e10-4e0b-a3c8-63ce776f2355/how-do-i-change-the-url-to-the-remote-web-access-server-in-windows-server-2012?forum=winserverTS
  Apart from this, also check the settings under; IIS in RDWeb Server as per below mention path.
  Expand the default Website >Pages >Application Settings >DefaultTSGateway >
  Enter the external address (FQDN) of the RD Gateway in the Value Field.
  Hope it helps!
  Thanks,
  Dharmesh

• Machine authentication over Client IPSEC tunnel

  I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA.  Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
  I have been looking for a way to do this with the IPSEC client but havent found anything as yet.  Would appreciate any links that show me how to get this done.  Moving to Anyconnect isnt an option at this point due to budgetary issues.  I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
  What I may be looking at might be NAC (Network Admission Control ?).  Looking for all suggestions at this point.
  Thanks,
  Ron

  I've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
  But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
  I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference.

• ACS 4.1 machine authentication problem

  Hi,
  I'm using the Cisco NAC framework in order to authenticate both users and machines before granting network access. i'm using windows AD to authenticate users and machines.
  Under "External User Databases" -> Windows Authentication Configuration, you can configure some machine authentication settings.
  I have to enable "Enable Machine Access Restriction" in combination with the group map "no access". Otherwise, even though machine authentication has failed, an authorized user can still login with an unauthorized machine (it will only appear in the failed attempts log but it will not be restricted).
  This works, but the problem is the "aging time". The ACS caches the machines for a certain amount of time (12 hours by default). Now if a user logs off and he waits 12 hours to logg back on, authentication will fail (because machine authentication is already performed just after being logged off).
  Is it possible to force machine authentication (together with the user authentication) at Windows log on?
  Kind regards

  ACS 4.1 machine authentication can work on windows. This issue occurs in an environment where there is more than one global catalog server for the domain. Restart CSAuth.exe service, and then try to authenticate again (with Machine credentials)

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"