PEAP & ACS & machine authentication

Similar Messages

• ACS Machine Authentication Fails Every 30 Days

  Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
  TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
  Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem

  So it looks like this is the offical Microsoft answer:
  Hello Tom,
  I had a discussion with an escalation resource on this case and updated him on what we found so far, From what  I understand this is a known issue when the client is using PEAP with computer authentication only  and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
  Regards
  Krishna

• PEAP strong machine authentication

  Hello there,
  I have some questions regarding PEAP authentication.  Specifically how  Machine Authentication works and how it is secured. It seems that if I have enabled Machine Authentication in my network, every wane  who knows PC  domain name can access network, is it true ?
  Here is what I mean “ Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.”
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So I was looking  on ACS logs and it seems that  PC just sent it’s domain name  to ACS, and it authenticates computer  by its name.After this computer have access to network. 
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?

  Please see your answers in line:
  I have some questions regarding PEAP authentication.  Specifically  how  Machine Authentication works and how it is secured. It seems that  if I have enabled Machine Authentication in my network, every wane  who  knows PC  domain name can access network, is it true?
  This is not true, there is much more to machine authentication then just knowing your domain name. For machine authentication to occur, a computer must be joined to the domain using an admin account. The machine credentials are aquired dynamically (they are not set by any administrator or user) through kerberos and with default settings usually change every 30 days.
  Here is what I mean “ Machine Authentication allows your PC to connect  to the network by authenticating as "Computer" before a legitimate user  logs in. This allows a machine to obtain group policies just like it was  connected to a wired network and this is a unique feature of the  Windows Client.”
  Yes the main purpose of machine authentication to allow machine GPO to execute and give the computer network access during the bootup process. When a user authenticates, the supplicant will not allow any traffic flow until it receives an eap-success for the user transaction.
  I get this from http://www.techrepublic.com/article/ultimate-wireless-security-guide-manual-peap-deployment-for-windows-wireless-client/6148574.
  So  I was looking  on ACS logs and it seems that  PC just sent it’s domain  name  to ACS, and it authenticates computer  by its name.After this  computer have access to network. 
  The machine should have sent its computer credentials not the domain name (format is computername.domain.com).
  So could you please tell me how can I implement strong machine  authentication without going  EAP-TLS way ?
  Machine authentication via PEAP is usually the easiest way to authenticate machines to the network. It uses mschapv2 which is a hashing algorithm used between the client and the domain without sending the password.
  One more thing about using Machine Access Restrictions. The cisco anyconnect client is going to support eap-chaining in an upcoming release, this a feature that will allow you to set the order of eap authentication when a workstation joins the network. So you will have the ability to fire a machine authentication request followed by user authentication referenced in this article - https://supportforums.cisco.com/thread/2150542
  Tarik Admani
  *Please rate helpful posts*

• Mac & 802.1x Machine Authentication to Microsoft AD using PEAP

  We are having trouble successfully connecting wirelessly our Active Directory-bound Macs to our internal 802.1x wireless network using EAP-PEAP with machine authentication. All of our Windows machines work fine. We have a network profile built out of JAMF, with some generic payloads configured, including Use Directory Authentication and the appropriate Verisign certificate attached to authenticate to the Cisco Radius Server onsite. We are able to connect to this wireless network when we also have the machine directly connected via Ethernet. Somehow this causes the Mac to pass the correct domainhost\machinename. When we aren't connected directly, the Mac attempts to authenticate with the incorrect domainhost in front of the correct \machinename. The logs from Console are attached below:
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: System Mode Using AD Account '(wrongdomain)\machinenameinAD$'
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: en0 PEAP: authentication failed with status 1
  Apr 22 13:37:28 MACHINENAME eapolclient[****]: peap_request: ignoring non PEAP start frame
  Apr 22 13:37:31 MACHINENAME eapolclient[****]: en0 STOP
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: opened log file '/var/log/eapolclient.en0.log'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: System Mode Using AD Account '(correctdomain)\machinenameinAD$'
  Apr 22 13:37:52 MACHINENAME eapolclient[****]: en0 START
  Apr 22 13:37:53 MACHINENAME eapolclient[****]: eapmschapv2_success_request: successfully authenticated
  The first, unsuccessful attempt above is when we are attempting to authenticate and connect wirelessly without a connection to ethernet. The 2nd, successful attempt is when are also connected to Ethernet, which passes the correct domain name, properly authenticating the domain\machinename. After reboot, we have to again plug in directly to Ethernet to reauthenticate to this wirelss network. Any idea(s) why plugging into Ethernet would cause the Mac to send the correct domainhost? Thanks.

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• Machine authentication for ACS5.1

  Hi, I met a problem with machine authentication. Following is the conditions::
  1. WLC5508, version 6.0.196
  2. ACS 5.1.0.44
  3. WIN AD
  4. PEAP-MSCHAPv2+machine authentication
  the machine auth failed, I checked the log, it says Machine not found in AD:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - WLAN Access Policy
  11507  Extracted EAP-Response/Identity
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started.
  12805  Extracted TLS ClientHello message.
  12806  Prepared TLS ServerHello message.
  12807  Prepared TLS Certificate message.
  12810  Prepared TLS ServerDone message.
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12318  Successfully negotiated PEAP version 0
  12812  Extracted TLS ClientKeyExchange message.
  12804  Extracted TLS Finished message.
  12801  Prepared TLS ChangeCipherSpec message.
  12802  Prepared TLS Finished message.
  12816  TLS handshake succeeded.
  12310  PEAP full handshake finished successfully
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12313  PEAP inner method started
  11521  Prepared EAP-Request/Identity for inner EAP method
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  11522  Extracted EAP-Response/Identity for inner EAP method
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store -
  24431  Authenticating machine against Active Directory
  24437  Machine not found in Active Directory
  22056  Subject not found in the applicable identity store(s).
  22058  The advanced option that is configured for an unknown user is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  11823  EAP-MSCHAP authentication attempt failed
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  However this machine account definately is in the AD, what's wrong? Any idea? Thanks in advance!

  From your screenshot, the client faied in the "Evaluating Group Mapping Policy", after "12304  Extracted EAP-Response containing PEAP challenge-response", it says "client sent result TLV indicating failure"
  For the normal process, this should be sth like:
  12304  Extracted EAP-Response containing PEAP challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12314  PEAP inner method finished successfully
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12306  PEAP authentication succeeded
  11503  Prepared EAP-Success
  It seems your configuration on MSCHAP has some problem, so double check your PEAP-MSCHAPv2 configuration on both the client and the ACS. In ACS5.1, it should looks like:
  in client, it should looks like:
  BTW, what had you configured for group mapping? In your case, it seems not need it because in Authorization policy, you just used AD1:ExternalGroups instead of Identity Group.
  If you can paste your configured AD parameter(General, Directory Groups, Directory Attributes), access policy(General, Allowed Protocol, Identity, Group Mapping, Authorization), all the steps for the failed auth(including Evaluating Service Selection Policy, Evaluating Identity Policy, Evaluating Group Mapping Policy,Evaluating Authorization Policy), it can help to troubleshoot your problem.

• Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

  Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication?  I have an authorization profile that permits the user login only after machine 'WasAuthenticated'.  I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication.  Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot.  Surely this isn't right.  What if a user logs on without any connection with cached credentials and then wants to use wireless?  Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states?  I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
  Regards,
  Scott

  Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
  Sent from Cisco Technical Support iPhone App

• Missing machine authentication - peap acs

  Hi,
  my setup is:
  Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
  WLC 4402 ver 4.0.179.8
  Aironet 1131 LWAPP
  dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
  I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
  http://support.microsoft.com/kb/309448/en-us
  I get these messages in the wlc log:
  AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  anyone who can point me in the right direction?
  Is it a windows client problem or a WLC/ACS problem?
  regards rolf

  Hi,
  still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
  AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
  My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
  regards rolf

• Machine authentication not working with peap mschapv2

  I have installed ACS ver 4.1.1 trial downloaded from cisco web sites. I have configure 802.1x machine authentication using self generated certificate with unknown user policy configure for windows database authentication. I can authenticate user via peap authentication. but i can never get the machine authentication working. on failed attempted.psv, i found EAP-TLS or PEAP authentication failed during SSL handshake. in the auth.log i found below message:
  TH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::CreateContext: new context id=3
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/paul2.test.com
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Service-Type=2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Framed-MTU=1500
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Called-Station-Id=00-11-93-69-C5-9A
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Calling-Station-Id=00-0E-7B-30-FA-08
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: EAP-Message=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: Message-Authenticator=(binary value)
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port-Type=15
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-Port=50024
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: NAS-IP-Address=10.20.209.2
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-NAS-Vendor-14=1
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PdeAttributeSet::addAttribute: PDE-Service-ID-0=0
  AUTH 03/02/2008 07:01:13 I 0143 6184 [PDE]: PolicyMgr::SelectService: context id=3; no profile was matched - using default (0)
  AUTH 03/02/2008 07:01:13 I 5081 6184 Done RQ1152, client 2, status 0
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 7.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1026, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0143 6448 [PDE]: PolicyMgr::Process: request type=5; context id=3; applied default profiles (0) - do nothing
  AUTH 03/02/2008 07:01:13 I 5394 6448 Attempting authentication for Unknown User 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 1645 6448 pvAuthenticateUser: authenticate 'host/paul2.test.com' against CSDB
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1026, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 8.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2046
  AUTH 03/02/2008 07:01:13 I 5094 6448 Worker 1 processing message 9.
  AUTH 03/02/2008 07:01:13 I 5081 6448 Start RQ1027, client 50 (127.0.0.1)
  AUTH 03/02/2008 07:01:13 I 0928 6448 AuthenProcessResponse: process response for 'host/paul2.test.com'
  AUTH 03/02/2008 07:01:13 E 0381 6448 EAP: PEAP: ProcessResponse: invalid TLS data size received: 0
  AUTH 03/02/2008 07:01:13 I 0381 6448 EAP: PEAP: Second phase: 0 authentication FAILED
  AUTH 03/02/2008 07:01:13 I 5081 6448 Done RQ1027, client 50, status -2120
  AUTH 03/02/2008 07:01:13 I 5094 6184 Worker 0 processing message 36.
  If anyone can shed some light on this.
  Cheers,
  Andy

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• OSX and PEAP machine authentication

  We are starting to get a few OSX users in our environment, and they can't seem to authenticate to our wireless network using machine authentication with PEAP. They can bind to AD and I see the computer name in AD, but PEAP fails. Has anyone gotten this working successfully?
  The error we get in the RADIUS logs is:
  ACS has not been able to confirm previous successful machine authentication for user in Active Directory
  Thanks!

  If you configure PEAP MsChapv2 properly along with the client side, it will work and you will not get any type of error.  I run PEAP or EAP-TLS on customer environments with ACS, ISE, Microsoft Radius and other radius servers with no issues. If you look at the Apple device guide or search for supported 802.1x encryption types, you will see what type of encryption is supported. You just have to setup the radius and the back end to work.
  Scott

• PEAP : Machine authentication doesn't work

  Hello,
  I'm trying to set up machine authentication and at this time I have some problems.
  I have the following configuration:
  - the users laptop are running WinXP
  - the AP is a 1232
  - ACS 3.3.2
  - external database (Win2000 Active Directory) authentication
  I set up PEAP and it works well when a user is authenticated. However when I enable machine authentication on the ACS and also on the user laptop, it doesn't work. In the ACS logs I can see that the user has not authenticated due to the machine access restriction.
  On the Active Directory I changed the Dial In config. for the computers to allow access.
  Is there anything else that has to be modified in order to perform machine authentication?
  Hope someone will be able to help me.
  Thanks in advance.
  Alex

  Hi Alex
  I have had a similar issue, I found that my PEAP users were fine but Machine authentication failed at the SSL handshake. I.E the machine didn't know where the local certificate was. In the meantime to get the policies working I unchecked the "validate server certificate" on the client. And that works, I would assume that the certificate needs to be in a specific default location for the machine authentication to use it, though thats just a guess.
  I am spending the day to get this working and I'll post what I find out.
  Regards
  Colin

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Machine authentication on WPA2 PEAP-MSCHAPv2 wireless network

  Is there anyway to setup machine authentication on Leopard or Snow Leopard associating the device to a WPA2 Enterprise wireless network using PEAP with MSCHAPv2

  In Snow Leopard open Network preferences and select the Airport port then click on the Advanced button. Click on the 802.1X tab where you should find what you want.