EAP-TLS Machine only Authentication with Cisco ACS Appliance (and WinXP LT)

Unanswered Question
Sep 24th, 2008
User Badges:

Hi all,

Is it possible to have a the following

LT --------WCS ---------ACS ---------RA ------AD DC

Now is it possible to have the Laptop just use EAP-TLS Machine auth to the ACS only, without using the external AD?

The plan is to use AD eventually, but for a proof-of-concept, just would like the LT for this stage to machine auth with the ACS?

All the correct certs are on the ACS and LT.

The LT is connecting to the ACS but in the faulied radius attempts, we get the following :-

Machine authentication is not permitted

I thought I may have to set up a user name in the ACS internal DB with the hostname of the LT, but then you have to set a password, so now I am thinking that this is not possible?

Im sure ACS should be able to do a full machine eap-tls auth with a laptop?

If anyone could help?

Many thx


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
miwitte Wed, 09/24/2008 - 08:20
User Badges:

You need AD to verify that the machine is a domain memeber(Machine Auth). What kinfd of certs are you using for the ACS and client? Also there is a registry key that must be changed to allow the supplicant to use machine based instead of user based[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]



The auth mode 2 makes it machine based, and SupplicantMode 3 makes it send a EAP packet first. You might try to uncheck the machine auth box and just put the machine name as a user.


This Discussion



Trending Topics - Security & Network