cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
3
Replies

Machine Authentication

remco.gussen
Level 1
Level 1

I'm trying to implement Machine Authentication with PEAP ans ACS. Computers authenticate ok (due to ACS log) and users authenticate ok too.

When I enable Machine Access Restriction in ACS, authentication fails due to Machine Access Restriction.

Why is that ?

Is is posible to add two different Windows Groups to one ACS group, to make it a logical AND operator ?

Example: ACS Group 10 contains Windows User Group 1 and Windows Computer Group 1. If computer is not in the list, authentication fails because of AND operator...

Gr.

Remco

3 Replies 3

Jacob-Harris
Level 1
Level 1

We ended up nesting domain-computers & domain-users under the same AD group. Called id domain-dot1x and used that for the acs group matching. Works great. One caveat.. Had a few random issues w/ the ACS remote agent running on the domain controller. Seems after some time (months usually) the agents stops processing machine (computer) accounts, but will continue to authenticate user accounts. Upgrading to 4.1.4 this weekend to see if that helps.

mscherting
Level 1
Level 1

I'm curious. what client/supplicant are you using? We're trying to do something similar, PEAP & ACS, but it seems like only the WindowsXP supplicant sends machine credentials thus are the only machines that authenticate.

Other clients we've tried are Cisco ADU, Juniper Odyssey & a Dell supplied utility.

Enabling Machine Access Restriction stops all but the XP clients.

miwitte
Level 4
Level 4

You need to point it to your domain in your global authentication. It then should query AD and find the machines. This works fine for us with 100+ machines. We are doing EAP-TLS but it shouldn't matter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: