ACS 4.2 Problem

Unanswered Question
Mar 15th, 2009
User Badges:

I am configured Cisco ACS 4.2 to authenticate wired network base on Active Directory windows 2003.

I am used PEAP Authentication on the network and everything was OK but I have a problem : because there are restriction on User Account about log on to just User's computer (in Active Directory User account Setting log on to user limit to a specific computer's ) the ACS can't authenticate Users and generate error log say that workstation not allowed. I was configured enable workstation restriction too in ACS but problem still existed.

There are ACS logs in the attachment.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
JamesLuther Sun, 03/15/2009 - 10:49
User Badges:
  • Silver, 250 points or more


By default everyone who's authenticated on the ACS is authenticated against a workstation object called CISCO in AD.

So you need to create the workstation called CISCO and allow users to logon to this object.


Tiago Antunes Sun, 12/05/2010 - 02:39
User Badges:
  • Cisco Employee,


It looks you have 3 problems here...translated into the 3 failed reasons you are seeing in the Failed Attempts:

1 - SH-RASTEGAR\26320 -> Windows workstation not allowed
2 - SH-RASTEGAR\26320 -> Windows External DB user access was denied due to a Machine Access Restriction

3 - host/ -> Machine authentication is not permitted



1 - This error means that the user is not allowed to login from the machine he is trying to login from. This is a setting of the AD and if you want to allow the user to login from this machine you have to change this security setting on the AD.

2 - This means that you have MAR (Machine Access Restriction) configured. And this means that a user can only login from a machine that has already passed machine authentication. If the machine did not authenticate yet successfully, you will get this message.

3 - This means that the machine "host/" tried to authenticate, however machine authentication is disabled on ACS. To enable it you need to check the matching box:

Enable PEAP machine authentication.
Enable EAP-TLS machine authentication.

This can be found under ACS GUI -> External User Database -> Database Configuration -> Windows Database -> Configure.




If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.


This Discussion