08-06-2009 03:08 AM - edited 07-03-2021 05:55 PM
ACS(SE)4.2
WLC (4402)5.1.163
AD 2003 Server
Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.
Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.
Can anyone suggest what configuration required to acheive our requirement?
Note: We are using same ACS for VPN authentication.
08-06-2009 12:41 PM
Could you let us know how you configured the clients for machine authentication? Also - what kind of machine authentication are you trying to use and what kind of clients you have (PEAP, Windows, Mac, Linux, etc.). Lastly, what database has your machine account information? Active Directory?
08-06-2009 08:39 PM
Currently we are using WindowXP SP3.
Client Configuration:
1. network Authentication: WPA + TKIP
2. EAP type: Protected EAP(PEAP)
3. Authenticate as computer when computer information is available is (checked)
4. Validated server certificate is (unchecked)
5. Authentication Method is: EAP- MSCHAPv2
ACS External Database Configuration:
Tick "Enable PEAP machine authentication".
Tick "Enable Machine Access Restrictions".
Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".
We are using Windows AD database as external database.
Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).
In WLC, client details showing domain\username instead of host/computer name.
Your quick response would be highly appreciated!!!!!!
08-10-2009 09:04 AM
I don't see anything wrong with the config, but I'm not sure how you know that machine authentication is not working. What are you seeing in the passed and failed authentication logs? Since it looks like you have enabled machine authentication on the client, you should see something in the ACS passed and failed authentication logs showing that the machine attempted to authenticate.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: