I'm currently working on a test with Cisco NAC and wired 802.1x.
I am using the Cisco ACS 4.1 server (on a Windows Server 2003 OS). The server and the clients are connected on two Catalyst 2950 switches. The two clients (one Win XP SP2 and one Win 2000 SP4) have the latest Cisco Trust Agent installed.
Note that there isn't an Active Directory in my test network. I'm working with the Internal ACS database.
If I'm logged in into Windows, I can connect, the posture validation rules are checked and I get a response that the system is "Healthy" so that works.
However, when I restart the system or I log off and log on again, the Trust Agent tries to authenticate through machine authentication but fails. At this point, the client retries the authentication a few times so the computer "hangs / freezes" on the login screen.
If i pull out the UTP-cable when the computer hangs, I can login to Windows and then after replugging in the cable, it connects immediately without a problem.
I've checked the ACS logs. I can see the computer authentication problems in the failed attempts log. But the funny thing is, even though I am logged in afterwards (by user authentication in stead of computer authentication), and the validation is passed, in the "Logged-in users" log, it says that there aren't any users logged-in (although I am logged in and I can ping to the ACS server and the Trust Agent icon is green).
But I do can see the failed attempts (the computer authentication) and the passed authentication (the user authentication, when I'm already logged in in Windows).
The failed attempts log shows the following:
message-type: authen failed
Authen-failure-code: ACS user unknown
I find the username "host/anonymous" quite strange... shouldn't it be "host/myComputerName" or something like that?
The problem is clear I think: machine authentication isn't working for some reason. Is there any solution to make it work, or in the worse case, disable machine authentication on the Windows client? In the trust agent "summary" , I can see next to the field "auto connect" the value "Auto connect as both, Machine and User". But there isn't any way to turn the machine authentication off ...