Machine Authentication

Unanswered Question
Feb 15th, 2008

I'm trying to implement Machine Authentication with PEAP ans ACS. Computers authenticate ok (due to ACS log) and users authenticate ok too.

When I enable Machine Access Restriction in ACS, authentication fails due to Machine Access Restriction.

Why is that ?

Is is posible to add two different Windows Groups to one ACS group, to make it a logical AND operator ?

Example: ACS Group 10 contains Windows User Group 1 and Windows Computer Group 1. If computer is not in the list, authentication fails because of AND operator...



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jacob-Harris Wed, 02/20/2008 - 18:17

We ended up nesting domain-computers & domain-users under the same AD group. Called id domain-dot1x and used that for the acs group matching. Works great. One caveat.. Had a few random issues w/ the ACS remote agent running on the domain controller. Seems after some time (months usually) the agents stops processing machine (computer) accounts, but will continue to authenticate user accounts. Upgrading to 4.1.4 this weekend to see if that helps.

mscherting Thu, 02/28/2008 - 09:06

I'm curious. what client/supplicant are you using? We're trying to do something similar, PEAP & ACS, but it seems like only the WindowsXP supplicant sends machine credentials thus are the only machines that authenticate.

Other clients we've tried are Cisco ADU, Juniper Odyssey & a Dell supplied utility.

Enabling Machine Access Restriction stops all but the XP clients.

miwitte Thu, 02/28/2008 - 13:58

You need to point it to your domain in your global authentication. It then should query AD and find the machines. This works fine for us with 100+ machines. We are doing EAP-TLS but it shouldn't matter.


This Discussion