OSX and PEAP machine authentication

We are starting to get a few OSX users in our environment, and they can't seem to authenticate to our wireless network using machine authentication with PEAP. They can bind to AD and I see the computer name in AD, but PEAP fails. Has anyone gotten this working successfully?
The error we get in the RADIUS logs is:
ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Thanks!

If you configure PEAP MsChapv2 properly along with the client side, it will work and you will not get any type of error.  I run PEAP or EAP-TLS on customer environments with ACS, ISE, Microsoft Radius and other radius servers with no issues. If you look at the Apple device guide or search for supported 802.1x encryption types, you will see what type of encryption is supported. You just have to setup the radius and the back end to work.
Scott

Similar Messages

  • 802.1x PEAP Machine Authentication with MS Active Directory

    802.1x PEAP Machine and User Authentication with MS Active Directory:
    I have a simple pilot-text environment, with
    - Microsoft XP Client,
    - Cisco 2960 Switch,
    - ACS Solution Engine (4.1.4)
    - MS Active Directory on Win 2003 Server
    The Remote Agent (at 4.1.4) is on the same server as the MS AD.
    User Authentication works correctly, but Machine Authentication fails.
    Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
    The Remote Agent shows an error:
    See Attachment.
    Without Port-Security the XP workstation is able to log on to the domain.
    Many thanks for any indication.
    Regards,
    Stephan Imhof

    Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

  • PEAP : Machine authentication doesn't work

    Hello,
    I'm trying to set up machine authentication and at this time I have some problems.
    I have the following configuration:
    - the users laptop are running WinXP
    - the AP is a 1232
    - ACS 3.3.2
    - external database (Win2000 Active Directory) authentication
    I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
    On the Active Directory I changed the Dial In config. for the computers to allow access.
    Is there anything else that has to be modified in order to perform machine authentication?
    Hope someone will be able to help me.
    Thanks in advance.
    Alex

    Hi Alex
    I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
    I am spending the day to get this working and I'll post what I find out.
    Regards
    Colin

  • AP1252 : Support for LEAP and PEAP for authentication

    Hi,
    We are deploying Cisco AP1252 in unified (lighweight) mode and would like to know whether it will support both LEAP as well as PEAP for authenticating clients at the same time (mixed mode). If yes, kindly let me know the configuration for the same.

    Local EAP authentication on Wireless LAN Controllers was introduced with Wireless LAN Controller version 4.1.171.0.
    Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, so it removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.
    Local EAP can use an LDAP server as its backend database to retrieve user credentials.
    An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.
    Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

  • ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

    Hello!
    I don't really know, whether this issue has been asked before.
    I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
    ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
    Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
    User authentication works fine, because the user account also is hosted in xyz.domainname.
    The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
    Does anybody knows a solution for this special constellation?
    Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hello Jean,
    I am guessing that you are using 802.1x wireless.
    This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
    This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
    Please see links below that explain this situation.
    http://support.microsoft.com/kb/216393/en-us
    http://support.microsoft.com/kb/904943
    Hope this helps
    Erdelgad
    Cisco CSE

  • PEAP & ACS & machine authentication

    OK, here's the issue :
    Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
    ACS SE 4.0 and a second ACS SE with 4.1
    Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
    Machine authentication not working. i.e. a user can't logon until they've previously logged on.
    Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
    Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
    ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
    Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
    Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
    Help, someone, help...

    This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
    I referred to this document on MS's site:
    http://www.microsoft.com/technet/network/wifi/ed80211.mspx
    Plus probably the same document you were using from CCO.
    I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
    You don't need to use the Cisco supplicant.
    HTH
    Andy

  • Missing machine authentication - peap acs

    Hi,
    my setup is:
    Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
    WLC 4402 ver 4.0.179.8
    Aironet 1131 LWAPP
    dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
    I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
    http://support.microsoft.com/kb/309448/en-us
    I get these messages in the wlc log:
    AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
    AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
    anyone who can point me in the right direction?
    Is it a windows client problem or a WLC/ACS problem?
    regards rolf

    Hi,
    still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
    AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
    AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
    It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
    My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
    regards rolf

  • Machine authentication is a little slow causing logon script to fail

    using:
    - Windows Zero with PEAP
    - Machine authentication only (AuthMode is set to 2 in the registry)
    - PCs are loginning it automatically, so it's a fast process
    It appears that machine authentication is a little slow. I can ping the PC's IP after the auto login happens. This cuses logon script to fail.
    If I hold shift to cancel auto-login, and wait for 10-20 seconds, the ping of the PC starts, and then if I login the logon script works.
    Does anyone know a solution to this issue? Maybe a way to introduce a delay for login window (msgina.dll) to appear, so that machine authentication has time to connect

    It's a common issue when authentication takes time.
    You can simply delay the logon scripts.
    This is an example of waiting for network to be up by pinging 10.10.10.10
    Only when network is up, then it will execute the script
    :CHECK
    @echo off
    echo Please wait....
    ping -n 1 -l 1 10.10.10.10
    if errorlevel 1 goto CHECK
    @echo on
    # Now the actual Logon script:
    net use L: \\fileserver\share
    Note: Modify the script in accordance with the network topology.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • Machine Authentication not happening with MAR

    ACS(SE)4.2
    WLC (4402)5.1.163
    AD 2003 Server
    Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.
    Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.
    Can anyone suggest what configuration required to acheive our requirement?
    Note: We are using same ACS for VPN authentication.

    Currently we are using WindowXP SP3.
    Client Configuration:
    1. network Authentication: WPA + TKIP
    2. EAP type: Protected EAP(PEAP)
    3. Authenticate as computer when computer information is available is (checked)
    4. Validated server certificate is (unchecked)
    5. Authentication Method is: EAP- MSCHAPv2
    ACS External Database Configuration:
    Tick "Enable PEAP machine authentication".
    Tick "Enable Machine Access Restrictions".
    Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".
    We are using Windows AD database as external database.
    Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).
    In WLC, client details showing domain\username instead of host/computer name.
    Your quick response would be highly appreciated!!!!!!

  • Problems with 802.1x MS PEAP machine and user authentication

    Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
    We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
    Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
    There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
    We are using MS-CHAPv2.

    Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
    However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
    I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
    Any idea how the domain\ can be ignored by ACS?

  • ISE 802.1x EAP-TLS machine and smart card authentication

    I suspect I know the answer to this, but thought that I would throw it out there anway...
    With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

    Hope this video link will help you
    http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

  • ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

    We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
    Thank you for any help or ideas,

    When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
    On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

  • Machine authentication on WPA2 PEAP-MSCHAPv2 wireless network

    Is there anyway to setup machine authentication on Leopard or Snow Leopard associating the device to a WPA2 Enterprise wireless network using PEAP with MSCHAPv2

    In Snow Leopard open Network preferences and select the Airport port then click on the Advanced button. Click on the 802.1X tab where you should find what you want.

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

  • Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

    We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
    Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
    Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
    Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
    Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
    Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
    Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
    Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
    Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
    The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

    Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
    Glad you found resolution with a later version of the OS.
    Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

Maybe you are looking for