Machine Authentication Issue
I have an ISE 1.2
I am configuring it with Machine authentication with PEAP , Users are working Fine
Just he connect his Cable , it authenticate his Machine and Machine dACL is Downloaded then he log in with his username/password and NAC starts provisioning
the issue is : some Users is part of domain and their machine joined the domain , but their machine cannot authenticate successfully
I am sure that these machine not included on denied endpoint groups , and Dot1x is enabled
Attached two images for that issue
Could you post the results from the clients authentication under ISE -> Operation -> Authentication
Similar Messages
-
We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with. -
Machine authentication is a little slow causing logon script to fail
using:
- Windows Zero with PEAP
- Machine authentication only (AuthMode is set to 2 in the registry)
- PCs are loginning it automatically, so it's a fast process
It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connectIt's a common issue when authentication takes time.
You can simply delay the logon scripts.
This is an example of waiting for network to be up by pinging 10.10.10.10
Only when network is up, then it will execute the script
:CHECK
@echo off
echo Please wait....
ping -n 1 -l 1 10.10.10.10
if errorlevel 1 goto CHECK
@echo on
# Now the actual Logon script:
net use L: \\fileserver\share
Note: Modify the script in accordance with the network topology.
Nicolas
===
Don't forget to rate answers that you find useful -
Machine authentication over Client IPSEC tunnel
I am in the process of converting our existing remote access from Microsoft Threat Management Gateway to Cisco ASA. Our security folks just made me aware that in addition to the Radius authentication against AD credentials that they also want me to do machine authentication to make sure that the machine name of the system trying to get remote access has a machinea account in AD.
I have been looking for a way to do this with the IPSEC client but havent found anything as yet. Would appreciate any links that show me how to get this done. Moving to Anyconnect isnt an option at this point due to budgetary issues. I am using the latest Cisco VPN client in the 5.x train and have 8.2.5 code running on my 5520.
What I may be looking at might be NAC (Network Admission Control ?). Looking for all suggestions at this point.
Thanks,
RonI've used enrolled user X.509 USER certificates with Cisco VPN Client 4.x / 5.x into an ASA. They were issued by a partner's root CA and the connection was allowed on the basis of that root CA being trusted by the remote ASA.
But yes, what you are asking about is more of a NAC, or the successor Identity Services Engine (ISE) product type of feature. In the case of ISE, it can do what you ask but requires a good bit of investment to get that and many many other features.
I strongly suspect that some additional investment will be necessary to get what your security team is requesting. At the very least AnyConnect Premium licenses and use of the Network Access Manager (NAM) feature. See this reference. -
ACS 4.1 machine authentication problem
Hi,
I'm using the Cisco NAC framework in order to authenticate both users and machines before granting network access. i'm using windows AD to authenticate users and machines.
Under "External User Databases" -> Windows Authentication Configuration, you can configure some machine authentication settings.
I have to enable "Enable Machine Access Restriction" in combination with the group map "no access". Otherwise, even though machine authentication has failed, an authorized user can still login with an unauthorized machine (it will only appear in the failed attempts log but it will not be restricted).
This works, but the problem is the "aging time". The ACS caches the machines for a certain amount of time (12 hours by default). Now if a user logs off and he waits 12 hours to logg back on, authentication will fail (because machine authentication is already performed just after being logged off).
Is it possible to force machine authentication (together with the user authentication) at Windows log on?
Kind regardsACS 4.1 machine authentication can work on windows. This issue occurs in an environment where there is more than one global catalog server for the domain. Restart CSAuth.exe service, and then try to authenticate again (with Machine credentials)
-
Mac & 802.1x Machine Authentication to Microsoft AD using PEAP
We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
Glad you found resolution with a later version of the OS.
Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400 -
Machine Authentication with PEAP on Wireless with ISE1.2
Hi All,
We are facing issues while doing machine authentication in ISE1.2 with wireless PEAP authentication. Without machine authentication normal PEAP works very fine but as soon as we enable machine authentication and create policy for machine authentication and in user authentication policy we put condition "was machine authenticated" then it works for some machine properly but does not work for other machines. Its totally random behaviour sometime it stopped working for machines which were authenticated before.
I just want to know if I m missing some configuration or its a bug in ISE. Can some body share step by step configuration for machine authentication with PEAP.
Really It would be a great help.
Thanks
NinjaDid you Apply service pactch 4?
Sent from Cisco Technical Support iPhone App -
Machine authentication with MAR and ACS - revisited
I'm wondering if anyone else has overcame the issue I'm about to describe.
The scenario:
We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
The passed authentications log does successfully show the machines authenticating.
The challege:
We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails. If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication. As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
Has anyone seen / over come this ?
Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).Here's the only thing I could find on extending the schema (I'm not a schema expert):
http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both. However, your RADIUS (ACS) server should have a certificate that the clients trust. You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours. Get a cert/certs for your RADIUS server(s).
You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2. Earlier versions may not work the same way). Your comment about what you're testing is confusing me. Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS). Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network. Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network. Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS). You should not need PEAP and EAP-TLS together. Both are used for the same purpose: 802.1X authentication for network access. PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials. You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access. I wish I could explain this better... -
802.1x - ACS authentication issue.....
I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
Please help. I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate. -
PEAP & ACS & machine authentication
OK, here's the issue :
Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
ACS SE 4.0 and a second ACS SE with 4.1
Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
Machine authentication not working. i.e. a user can't logon until they've previously logged on.
Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
Help, someone, help...This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
I referred to this document on MS's site:
http://www.microsoft.com/technet/network/wifi/ed80211.mspx
Plus probably the same document you were using from CCO.
I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
You don't need to use the Cisco supplicant.
HTH
Andy -
802.1x multiple-authentication issue
Hey,
I'm configuring 802.1x multiple authenticatino with C3560G.
Without any timer changes, user's mac address is registered by static on mac address table.
The issue is that if authenticated user moves to non-802.1x port, this user can't access network due to static mac entry.
If I set periodic reauthentication up for solve this, PCs which is connected to 802.1x port got EAP packets periodically, then users on those PC should have msg "local areal connection is connected" on Windows taskbar. I got a tons of this complaints.
What else I can do in order to clear this situaltion?Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate. -
OS-X - 802.1x and machine authentication
Hi all
I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
- Does anybody have made the same experiences ?
- Has anyone managed to get this running ?
- Can anyone provide me config examples, hint or tipps ?
Everything is very much appreciated since this is an urgent request.
Many thanks in advance
Best regards
RomanHi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
Glad you found resolution with a later version of the OS.
Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400 -
ACS Machine Authentication Fails Every 30 Days
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problemSo it looks like this is the offical Microsoft answer:
Hello Tom,
I had a discussion with an escalation resource on this case and updated him on what we found so far, From what I understand this is a known issue when the client is using PEAP with computer authentication only and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
Regards
Krishna -
Need help troubleshooting Machine Authentication...
Greetings-
I am having an issue with getting machine authentication to work.
I have:
Windows Server 2003 with AD, certificate services, and IAS installed.
Windows XP client - SP2 with WPA MS fixes. Installed machine cert from CA.
4400 controller with 4.1x code. RADIUS is configured correctly.
When I use PEAP, the client associates.
When I select "use machine account..." option I don't see anything happen on the client or server that would indicate that machine authentication was attempting.
Any ideas where to start? Could this be an issue with certificates on the client?
Thanks!Thanks, I had seen that doc...
I was using machine certs to authenticate. My problem turned out to be the fact that it is required that one adds two registry entries to make the computer authenticate as required. Below are the dword entries. They change the behavior of the supplicant. One tells the system to do Machine auth. Without it (on XP sp2), the client will never try to authenticate prior to user logon. The other controls the authentication behavior upon user logon. By default, the client wants to do PEAP once a user logs on.
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode (
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode -
any help about configuring MAC OS to work with ISE and 802.1x machine authentication?
Hi,
You will need to have the MAC OSX join the active directory domain so it can have the proper machine credentials. If joining the macbook to Active Directory is not a viable solution then having a certificate issued to the macbook would be another option but you would have to user a user certificate.
If we take a step back, why are you looking to perform machine authentication for a macbook?
Reference material -
http://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
You will need to use a lion server to build a profile based on the instructions above.
Thanks
Tarik Admani
*Please rate helpful posts*
Maybe you are looking for
-
V8.2.1: generic file i/o error while loading VI's
Hello, I had a large LV application open and running fine. I closed it, and upon re-opening the top-level VI it gives "Generic File I/O Error" on several sub-VI's (belonging to me, not LV). Opening those sub VI's individually reveals no problem at
-
Trying to loop/repeat a video for a continuous presentation on ipod touch
If anyone could help me out here, I'm trying to display a video from the ipod touch on a projector, it's just a 1 minute loop and so far I have no luck trying to get it to loop. I have tried to set it to repeat in photo libraries and play but it stil
-
Lr 4.1RC GPS metadata not read in CR2 files on Synch
After importing CR2 files from a Canon 5dMkii I later updated those files with GPS coordinates using the program GeoSetter (www.geosetter.de). The program is a GUI front end to ExifTool that adds the coordinates to the CR2 or JPG files. After the fi
-
One of my most visited site is missing from Most Visited Tab.
I look at my browsing history and it shows a site i visit a lot as in the top 5 sites I visit. This site does not show in my Most Visited Tab.
-
HT1692 how do i sync my kids ipad to my mac
how do i sync my kids ipad mini with my macbook air