Machine Authentication with PEAP on Wireless with ISE1.2

Similar Messages

• Problem iphone 4s with dlink 624s wireless with dhcp

  I heve a iphone 4s which is not stable in my wireless with a router dlink 624s and dhcp. Sometimes iphone runs okay, otherwise it is conect to the router but I cannot surf in the web, the iphone indicates "some problem with the server", even www.google.com doens't open in the safari, but it is connected because the simbol is present in the superior left corner of iphone.
  dhcp 192.168.0.110

  Configure the router to do DHCP automatically, try not to hard code the ip address.
  1. Try rebooting the router.
  2. See if there's a firmware update for your router.
  Read this: http://support.apple.com/kb/TS1398

• Machine authentication not working with peap mschapv2

  I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
  TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
  AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
  AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
  AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
  AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
  If anyone can shed some light on this.
  Cheers,
  Andy

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• PEAP strong machine authentication

  Hello there,
  I have some questions regarding PEAP authentication.  Specifically how  Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane  who knows PC  domain name can access network, is it true ?
  Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So I was looking  on ACS logs and it seems that  PC just sent it’s domain name  to ACS, and it authenticates computer  by its name.After this computer have access to network. 
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?

  Please see your answers in line:
  I have some questions regarding PEAP authentication.  Specifically  how  Machine Authentication works and how it is secured. It seems that  if I have enabled Machine Authentication in my network, every wane  who  knows PC  domain name can access network, is it true?
  This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.
  Here is what I mean “ Machine Authentication allows your PC to connect  to the network by authenticating as "Computer" before a legitimate user  logs in. This allows a machine to obtain group policies just like it was  connected to a wired network and this is a unique feature of the  Windows Client.”
  Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So  I was looking  on ACS logs and it seems that  PC just sent it’s domain  name  to ACS, and it authenticates computer  by its name.After this  computer have access to network. 
  The machine should have sent its computer credentials not the domain name (format is computername.domain.com).
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?
  Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.
  One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542
  Tarik Admani
  *Please rate helpful posts*

• Using HP 6500 Wireless with Verizon MIFI 2200

  Is it possibe to use my HP 6500 all in one with built in wireless with a Verizon MIFI 2200 at the same time...all on one wireless connection from my laptop?       Thank You
  This question was solved.
  View Solution.

  Well i  took a chance that this might  work...what i did was set up MIFI then once wireless put printer software cd in laptop and went to network connections tab on main menu...after a few steps it allowed me to enter the wep key and magically it was printing wirelessly and on the internet at the same time. At least it is right now.

• Wireless with PEAP Authentication not working using new NPS server

  All,
  We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
  I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
  But it is not working for me. I am getting the following error message on the NPS server.
  Error # 1
  =======
  Cryptographic operation.
  Subject:
              Security ID:                 SYSTEM
              Account Name:                       MADXXX
              Account Domain:                    AD
              Logon ID:                    0x3e7
  Cryptographic Parameters:
              Provider Name:          Microsoft Software Key Storage Provider
              Algorithm Name:         RSA
              Key Name:      XXX-Wireless-NPS
              Key Type:       Machine key.
  Cryptographic Operation:
              Operation:       Decrypt.
              Return Code:  0x80090010
  Error # 2
  ======
  An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
  I was wondering if anyone has any insight on what is going on.
  Thanks, Ds

  Scott,
  I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
  I  disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
  Cryptographic operation.
  Subject:
  Security ID: SYSTEM
  Account Name: MADHFSVNPSPI01$
  Account Domain: AD
  Logon ID: 0x3e7
  Cryptographic Parameters:
  Provider Name: Microsoft Software Key Storage Provider
  Algorithm Name: RSA
  Key Name: DOT-Wireless-NPS
  Key Type: Machine key.
  Cryptographic Operation:
  Operation: Decrypt.
  Return Code: 0x80090010
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID: AD\mscdzs
  Account Name: AD\mscdzs
  Account Domain: AD
  Fully Qualified Account Name: AD\mscdzs
  Client Machine:
  Security ID: NULL SID
  Account Name: -
  Fully Qualified Account Name: -
  OS-Version: -
  Called Station Identifier: 64-ae-0c-00-de-f0:DOT
  Calling Station Identifier: a0-88-b4-e2-79-cc
  NAS:
  NAS IPv4 Address: 130.47.128.7
  NAS IPv6 Address: -
  NAS Identifier: WISM2B
  NAS Port-Type: Wireless - IEEE 802.11
  NAS Port: 29
  RADIUS Client:
  Client Friendly Name: WISM2B
  Client IP Address: 130.47.128.7
  Authentication Details:
  Connection Request Policy Name: Secure Wireless Connections
  Network Policy Name: Secure Wireless Connections
  Authentication Provider: Windows
  Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
  Authentication Type: PEAP
  EAP Type: -
  Account Session Identifier: -
  Logging Results: Accounting information was written to the local log file.
  Reason Code: 23
  Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
  Attached are EAP logs & debug logs from the controller.
  Thanks for all the help. I really appreciate.

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• Machine authentication on WPA2 PEAP-MSCHAPv2 wireless network

  Is there anyway to setup machine authentication on Leopard or Snow Leopard associating the device to a WPA2 Enterprise wireless network using PEAP with MSCHAPv2

  In Snow Leopard open Network preferences and select the Airport port then click on the Advanced button. Click on the 802.1X tab where you should find what you want.

• Machine Authentication not happening with MAR

  ACS(SE)4.2
  WLC (4402)5.1.163
  AD 2003 Server
  Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.
  Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.
  Can anyone suggest what configuration required to acheive our requirement?
  Note: We are using same ACS for VPN authentication.

  Currently we are using WindowXP SP3.
  Client Configuration:
  1. network Authentication: WPA + TKIP
  2. EAP type: Protected EAP(PEAP)
  3. Authenticate as computer when computer information is available is (checked)
  4. Validated server certificate is (unchecked)
  5. Authentication Method is: EAP- MSCHAPv2
  ACS External Database Configuration:
  Tick "Enable PEAP machine authentication".
  Tick "Enable Machine Access Restrictions".
  Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".
  We are using Windows AD database as external database.
  Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).
  In WLC, client details showing domain\username instead of host/computer name.
  Your quick response would be highly appreciated!!!!!!

• CSSC with machine authentication in Ms AD

  I need to set the CSSC able to run a machine authetication. My need is to be able to run scripts logon to AD.
  In NEtwork Connection Type i select the machine and user connection option, machine and user auth Method EAP-PEAP and machine identity default, machine credential "use machine credential".
  Event on IAS is:
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Date: 3/19/2008
  Time: 11:49:37 AM
  User: N / A
  Computers: xxxx
  Description:
  User host / anonymous was denied access.
  Fully-Qualified-User-Name = MYDOMAIN \ host / anonymous
  NAS-IP-Address = x.x.x.x
  NAS-Identifier = WLC_AP
  Called-Station-Identifier =
  Calling-Station-Identifier =
  Client-Friendly-Name = wlc_ap
  Client-IP-Address = x.x.x.x
  NAS-Port-Type = 19
  NAS-Port = 1
  Policy-Name = <undetermined>
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 8
  Reason = The specified user does not exist.
  The CSSC put MYDOMAIN (correct) and \host / anonymous (not correct) WHY?
  How can I configure the CSSC part of the machine and user credentials credentials ?
  Thanks.
  Mirko Severi

  Hi,
  You will need o be more specific so we can help you.
  What exactly is happening/not working?
  Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
  Is your PC doing machine authentication?
  HTH,
  Tiag
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Can I set up multiple usb hard drives- one for time machine and a second for media? Can one also print wirelessly with an old HP C6280 printer?

  Can I set up multiple usb hard drives- one for time machine and a second for media?
  Can one also print wirelessly with an old HP C6280 printer?

  Can I set up multiple usb hard drives- one for time machine and a second for media?
  Yes.
  Can one also print wirelessly with an old HP C6280 printer?
  Possibly by using an Airport Express, but depends on what type of port connection the printer requires.