02-15-2008 01:40 AM - last edited on 03-25-2019 05:25 PM by ciscomoderator
I'm trying to implement Machine Authentication with PEAP ans ACS. Computers authenticate ok (due to ACS log) and users authenticate ok too.
When I enable Machine Access Restriction in ACS, authentication fails due to Machine Access Restriction.
Why is that ?
Is is posible to add two different Windows Groups to one ACS group, to make it a logical AND operator ?
Example: ACS Group 10 contains Windows User Group 1 and Windows Computer Group 1. If computer is not in the list, authentication fails because of AND operator...
Gr.
Remco
02-20-2008 06:17 PM
We ended up nesting domain-computers & domain-users under the same AD group. Called id domain-dot1x and used that for the acs group matching. Works great. One caveat.. Had a few random issues w/ the ACS remote agent running on the domain controller. Seems after some time (months usually) the agents stops processing machine (computer) accounts, but will continue to authenticate user accounts. Upgrading to 4.1.4 this weekend to see if that helps.
02-28-2008 09:06 AM
I'm curious. what client/supplicant are you using? We're trying to do something similar, PEAP & ACS, but it seems like only the WindowsXP supplicant sends machine credentials thus are the only machines that authenticate.
Other clients we've tried are Cisco ADU, Juniper Odyssey & a Dell supplied utility.
Enabling Machine Access Restriction stops all but the XP clients.
02-28-2008 01:58 PM
You need to point it to your domain in your global authentication. It then should query AD and find the machines. This works fine for us with 100+ machines. We are doing EAP-TLS but it shouldn't matter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide