Machine authentication by certificate and windows domain checking

Answered Question
Jun 22nd, 2007


We intend to deploy machine?s certificate authentication for wifi users.

We want to check certificate validity of the machine, and also that the machine is included on the windows domain.

We intend to use EAP-TLS :

- One CA server.

- each machine (laptop) retrieves its own certificate from GPO or SMS

- the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)

- ACS version is the appliance one

- one ACS remote agent installed on the A.D.

- when a user intends to log on the wifi network :

- the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .

- the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).

Am I right about these previous points ?

And then my question is : is it possible to check that the machine is also included in the windows domain ?

That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.

Thanks in advance for your attention.

Best Regards,


I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 9 years 3 months ago

Hi Arnaud,

You are right.

Once Remote Agent is configured properly. And clients are configured properly.

It will work the way you want it to.

One more option to consider,

Also check "Enable machine access restrictions"



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (8 ratings)
Premdeep Banga Fri, 06/22/2007 - 07:24

Hi Arnaud,

You are right on track!

Your are correct about your how it will work.

About your question on to check the Machine certificate, you just need to check on check box, and ACS will check "host/......" of the Machine for its validity.

External User Databases > Database Configuration > Windows Databases > Configure > Windows Database Configuration >

Check "Enable EAP-TLS machine authentication" and you are done.

And for client, as you *only* want to do Machine authentication, you need to make following changes on Client/Supplicant,






0 : Disable IEEE 802.1X authentication operation.

1 : Prevent transmission of EAPOL start and EAPOL log off packets under all scenarios.

2 : Include learning to determine when to initiate the transmission of EAPOL packets. A Windows XP Service Pack 2 (SP2)-based computer will only send an EAPOL start frame if the computer receives an EAP request identity frame and if no internal process is currently ongoing.

3 : Compliant with IEEE 802.1X authentication specification.


0 : Use the default Windows XP authentication

1 : Always perform user authentication when a user logs on

2 : Perform computer authentication only



arnaud.dessauva... Fri, 06/22/2007 - 07:35

Hi Prem,

Thanks for your reply.

Just to be sure I understand correctly, the ACS will check the field "host/..." of the certificate against the entries of the A.D. ?

So I need to deploy remote agent on the A.D.

Then it could be possible for the ACS to deny an authentication if the machine certificate is valid, but the machine not a member of the windows domain ?

Thanks for your attention.

Best Regards,


arnaud.dessauva... Fri, 06/22/2007 - 07:45


Many thanks for all these inputs.

That's great!

I'm going to perform tests in order to deploy the architecture.

I'm also going to have a closer look at the link you pointed to me.

Best Regards,


arnaud.dessauva... Tue, 07/03/2007 - 06:34

Hi Prem,

I'm presently in the step of testing and validating the setup.

I've configured the radio part (cisco airespace), the acs appliance (v4.1), the Active Directory and the Certificate Authority (windows).

I've added a laptop in the windows domain.

A machine certificate has been assigned to the laptop.

I've configured the windows wifi client for EAP TLS. I've also added the 2 registry keys.

I've installed the ACS remote agent on the domain controler. I've configured the external user database (domain list retrieved by the remote agent and machine authentication enabled).

When trying to connect on the wifi SSID, I can't manage to authenticate.

The laptop managed to associate, but in no way to authenticate.

I cound't see failed attemps on the ACS.

On the client, an error message indicated that windows couldn't find certificate to authenticate.

So I've added a user certificate on the laptop.

I still couldn't manage to authenticate, but I no longer have the previous error message. And still no logs on the ACS.

Then I've modified the setup of the windows wifi client. I've configured PEAP. Then, when trying to associate, I have the popup for user/password. I can't manage to log on, which is 'normal' because PEAP isn't configured on the ACS. But at least, I can see failed attemps on the ACS logs.

So It seems I'm doing something wrong on the windows wifi client.

Would someone have any advices ?

Thanks in advance for your attention.

Best Regards,


Premdeep Banga Tue, 07/03/2007 - 06:45

Hi Arnaud,

As you have mentioned that you are able to get hits on ACS with PEAP, then we ca rule out the issue of NAS and client communication.

Now as we are using 4.1(i guess, in this sometimes what you get/don?t get on fail/pass logs isn't the complete story.

Increase the level of detail. on ACS from System Configuration > Service Control > Full > Restart

Get one authentication attempt by EAP-TLS, and make sure that controller is indeed sending the access request to ACS.

Then you can extract the detailed logs from ACS.

System Configuration > Support > Run support Now.

Check the auth.log and RDS.log, it will give you ample information, what's happening.

But it could also be client misconfiguration issue as well. At this point we cannot pin point to certain direction.




arnaud.dessauva... Wed, 07/04/2007 - 03:51

Hi Prem,

Thanks for these inputs.

I've passed the logs details to full, performed other tests and retrieved the

I've started investigating the 2 log files you pointed.

First, we can see that the requests reach the ACS, so that's a good point.

Then, I'm not sure how to understand the messages.

In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.

But I'm not sure this NAP problem to be the root cause of my problem.

And when no NAP is matched, then the default action should accept.

We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.

I don't know what CSDB is.

I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.

I copy below an extract of the auth.log.

I also attach parts of auth.log and RDS.log.

If you have any ideas or advices ?

Thanks in advance for your attention.

Best Regards,


AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------


AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1

AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/


AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)


AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing

AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/'

AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/' against CSDB

AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046


Premdeep Banga Wed, 07/04/2007 - 04:59

Thanks for the logs,

It seems like that ACS is only checking its internal database. Not the windows database.

Make sure that you have configured Unknown User Policy properly.

External User Databases > Unknown User Policy

Make sure that it is not selected as failed the attempt, windows database should be selected.

Also, as this is related to windows, if we are using ACS SE, check the CSWinagent logs too, that can be found under installation folder of Remote Agent.

Summarizing, the host is not being looked up in AD, I guess some configuration issue.



arnaud.dessauva... Wed, 07/04/2007 - 06:22


Before reding your last post, I've added a Network Access Profile.

Its configuraiton is basic. It accepts all protocols.

I've retried the tests and retrieved the

Then, the ACS tries to authenticate the request againt the windows database, but it seems without response (NULL response supplied).

And in the ACS / reports and activity / failed attemps: now I have an entry: "EAP-TLS, EAP type not configured".

I've checked my EAP-TLS configuration, but I've followed the indications pointed by the cisco doc. Maybe I've missed a parameters, but I don't think.

Which is strange is that I don't have new pessages in failed attempts. But I would expect seral entries (each time the laptop retries to connec / authenticate) ?

I've checked the parameters you pointed to me in your last post: windows database is well configured for unknown external databas

Here are extracts from auth.log:

And finally, regarding the logs on the remote agent, there is no entries in it.

AUTH 04/07/2007 14:21:58 I 1645 1984 pvAuthenticateUser: authenticate 'host/' against Windows Database

AUTH 04/07/2007 14:21:58 I 5081 1984 Done RQ1026, client 50, status -2046

AUTH 04/07/2007 14:21:58 I 5094 1984 Worker 6 processing message 45.

AUTH 04/07/2007 14:21:58 I 5081 1984 Start RQ1027, client 50 (


AUTH 04/07/2007 14:22:52 I 2817 1852 AuthenReaperThread: freeing session id 4b

AUTH 04/07/2007 14:22:52 I 0396 1852 External DB [NTAuthenDLL.dll]: Response from user [host/] with state [0]

AUTH 04/07/2007 14:22:52 I 0396 1852 External DB [NTAuthenDLL.dll]: NULL response supplied

AUTH 04/07/2007 14:22:52 I 0143 1852 [PDE]: PolicyMgr::TerminateContext: context id=57 is deleted

Best Regards,


Premdeep Banga Wed, 07/04/2007 - 06:30

You are right, it seems like something is not configured right. For basic testing I would recommend you to not to mix NAP.

And I guess we have ACS Solution Engine/Appliance? correct me if I am wrong.

Check the Remote Agent logs, and

make sure that we have correct version installed to talk to AD.

suppose you have ACS version, then go to command prompt on the machine where RA is installed.

And issue is command under bin folder

bin\csagent -v

both versions must watch.



arnaud.dessauva... Wed, 07/04/2007 - 06:59


You're right, it's an appliance version of the ACS.

Here are the versions :

remote agent (on windows): 4.1(3.12)

ACS appliance:

So they're both 4.1, but minor release / build version are not the same.

I connected myself on the cisco download page of ACS software. There are lots of different versions, both for ACS as well as for remote agent.

I've retrieved the remote agent

Should I install this version of the remote agent instead of the ?

Or should I upgrade the ACS software ?

And should I apply the latest patchs ? Or must I apply the patches only if cisco TAC require me to do so ? I've started reading the release notes, I could notice issues regarding to EAP-TLS in particular setup.


Premdeep Banga Wed, 07/04/2007 - 07:03

You can go any way you want.

but ACS version and RA version needs to be same

both need to be either or both need to be

And If you have upgrade or that?s good, if not, you wont be able to download it. You would be required to contact TAC, so that they can publish it for you.



Premdeep Banga Wed, 07/04/2007 - 07:04


*And If you have upgrade or

*And If you have upgrade for


This Discussion