Machine Authentication not happening with MAR

Unanswered Question
Aug 6th, 2009


WLC (4402)5.1.163

AD 2003 Server

Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.

Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.

Can anyone suggest what configuration required to acheive our requirement?

Note: We are using same ACS for VPN authentication.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Robert.N.Barrett_2 Thu, 08/06/2009 - 12:41

Could you let us know how you configured the clients for machine authentication? Also - what kind of machine authentication are you trying to use and what kind of clients you have (PEAP, Windows, Mac, Linux, etc.). Lastly, what database has your machine account information? Active Directory?

geetsingh22 Thu, 08/06/2009 - 20:39

Currently we are using WindowXP SP3.

Client Configuration:

1. network Authentication: WPA + TKIP

2. EAP type: Protected EAP(PEAP)

3. Authenticate as computer when computer information is available is (checked)

4. Validated server certificate is (unchecked)

5. Authentication Method is: EAP- MSCHAPv2

ACS External Database Configuration:

Tick "Enable PEAP machine authentication".

Tick "Enable Machine Access Restrictions".

Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".

We are using Windows AD database as external database.

Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).

In WLC, client details showing domain\username instead of host/computer name.

Your quick response would be highly appreciated!!!!!!

Robert.N.Barrett_2 Mon, 08/10/2009 - 09:04

I don't see anything wrong with the config, but I'm not sure how you know that machine authentication is not working. What are you seeing in the passed and failed authentication logs? Since it looks like you have enabled machine authentication on the client, you should see something in the ACS passed and failed authentication logs showing that the machine attempted to authenticate.


This Discussion



Trending Topics - Security & Network