Missing machine authentication - peap acs

Similar Messages

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• Machine Authentication not happening with MAR

  ACS(SE)4.2
  WLC (4402)5.1.163
  AD 2003 Server
  Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.
  Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.
  Can anyone suggest what configuration required to acheive our requirement?
  Note: We are using same ACS for VPN authentication.

  Currently we are using WindowXP SP3.
  Client Configuration:
  1. network Authentication: WPA + TKIP
  2. EAP type: Protected EAP(PEAP)
  3. Authenticate as computer when computer information is available is (checked)
  4. Validated server certificate is (unchecked)
  5. Authentication Method is: EAP- MSCHAPv2
  ACS External Database Configuration:
  Tick "Enable PEAP machine authentication".
  Tick "Enable Machine Access Restrictions".
  Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".
  We are using Windows AD database as external database.
  Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).
  In WLC, client details showing domain\username instead of host/computer name.
  Your quick response would be highly appreciated!!!!!!

• Eap-tls wireless machine authentication without AD

  Hi all,
  I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
  I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
  With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
  but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
  My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
  Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
  Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
  Thanks for your help,

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

  Hello!
  I don't really know, whether this issue has been asked before.
  I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
  ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
  Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
  User authentication works fine, because the user account also is hosted in xyz.domainname.
  The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
  Does anybody knows a solution for this special constellation?
  Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hello Jean,
  I am guessing that you are using 802.1x wireless.
  This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
  This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
  Please see links below that explain this situation.
  http://support.microsoft.com/kb/216393/en-us
  http://support.microsoft.com/kb/904943
  Hope this helps
  Erdelgad
  Cisco CSE

• PEAP & ACS & machine authentication

  OK, here's the issue :
  Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
  ACS SE 4.0 and a second ACS SE with 4.1
  Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
  Machine authentication not working. i.e. a user can't logon until they've previously logged on.
  Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
  Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
  ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
  Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
  Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
  Help, someone, help...

  This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
  I referred to this document on MS's site:
  http://www.microsoft.com/technet/network/wifi/ed80211.mspx
  Plus probably the same document you were using from CCO.
  I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
  You don't need to use the Cisco supplicant.
  HTH
  Andy

• Machine authentication not working with peap mschapv2

  I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
  TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
  AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
  AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
  AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
  AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
  If anyone can shed some light on this.
  Cheers,
  Andy

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• Machine Authentication with PEAP on Wireless with ISE1.2

  Hi All,
  We are facing issues while doing machine authentication in ISE1.2 with wireless PEAP authentication. Without machine authentication normal PEAP works very fine but as soon as we enable machine authentication and create policy for machine authentication and in user authentication policy we put condition "was machine authenticated" then it works for some machine properly but does not work for other machines. Its totally random behaviour sometime it stopped working for machines which were authenticated before.
  I just want to know if I m missing some configuration or its a bug in ISE. Can some body share step by step configuration for machine authentication with PEAP.
  Really It would be a great help.
  Thanks
  Ninja

  Did you Apply service pactch 4?
  Sent from Cisco Technical Support iPhone App

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• ACS Machine Authentication Fails Every 30 Days

  Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
  TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
  Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem

  So it looks like this is the offical Microsoft answer:
  Hello Tom,
  I had a discussion with an escalation resource on this case and updated him on what we found so far, From what  I understand this is a known issue when the client is using PEAP with computer authentication only  and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
  Regards
  Krishna

• PEAP strong machine authentication

  Hello there,
  I have some questions regarding PEAP authentication.  Specifically how  Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane  who knows PC  domain name can access network, is it true ?
  Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So I was looking  on ACS logs and it seems that  PC just sent it’s domain name  to ACS, and it authenticates computer  by its name.After this computer have access to network. 
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?

  Please see your answers in line:
  I have some questions regarding PEAP authentication.  Specifically  how  Machine Authentication works and how it is secured. It seems that  if I have enabled Machine Authentication in my network, every wane  who  knows PC  domain name can access network, is it true?
  This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.
  Here is what I mean “ Machine Authentication allows your PC to connect  to the network by authenticating as "Computer" before a legitimate user  logs in. This allows a machine to obtain group policies just like it was  connected to a wired network and this is a unique feature of the  Windows Client.”
  Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So  I was looking  on ACS logs and it seems that  PC just sent it’s domain  name  to ACS, and it authenticates computer  by its name.After this  computer have access to network. 
  The machine should have sent its computer credentials not the domain name (format is computername.domain.com).
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?
  Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.
  One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542
  Tarik Admani
  *Please rate helpful posts*

• OSX and PEAP machine authentication

  We are starting to get a few OSX users in our environment, and they can't seem to authenticate to our wireless network using machine authentication with PEAP. They can bind to AD and I see the computer name in AD, but PEAP fails. Has anyone gotten this working successfully?
  The error we get in the RADIUS logs is:
  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Thanks!

  If you configure PEAP MsChapv2 properly along with the client side, it will work and you will not get any type of error.  I run PEAP or EAP-TLS on customer environments with ACS, ISE, Microsoft Radius and other radius servers with no issues. If you look at the Apple device guide or search for supported 802.1x encryption types, you will see what type of encryption is supported. You just have to setup the radius and the back end to work.
  Scott

• PEAP : Machine authentication doesn't work

  Hello,
  I'm trying to set up machine authentication and at this time I have some problems.
  I have the following configuration:
  - the users laptop are running WinXP
  - the AP is a 1232
  - ACS 3.3.2
  - external database (Win2000 Active Directory) authentication
  I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
  On the Active Directory I changed the Dial In config. for the computers to allow access.
  Is there anything else that has to be modified in order to perform machine authentication?
  Hope someone will be able to help me.
  Thanks in advance.
  Alex

  Hi Alex
  I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
  I am spending the day to get this working and I'll post what I find out.
  Regards
  Colin