ACS 4.1 machine authentication problem

Unanswered Question
Dec 20th, 2007
User Badges:

Hi,


I'm using the Cisco NAC framework in order to authenticate both users and machines before granting network access. i'm using windows AD to authenticate users and machines.


Under "External User Databases" -> Windows Authentication Configuration, you can configure some machine authentication settings.


I have to enable "Enable Machine Access Restriction" in combination with the group map "no access". Otherwise, even though machine authentication has failed, an authorized user can still login with an unauthorized machine (it will only appear in the failed attempts log but it will not be restricted).


This works, but the problem is the "aging time". The ACS caches the machines for a certain amount of time (12 hours by default). Now if a user logs off and he waits 12 hours to logg back on, authentication will fail (because machine authentication is already performed just after being logged off).


Is it possible to force machine authentication (together with the user authentication) at Windows log on?


Kind regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsivulka Thu, 12/27/2007 - 06:53
User Badges:
  • Bronze, 100 points or more

ACS 4.1 machine authentication can work on windows. This issue occurs in an environment where there is more than one global catalog server for the domain. Restart CSAuth.exe service, and then try to authenticate again (with Machine credentials)

Actions

This Discussion