Computer Authentication /host/machine name using EAP on AP Problem

Unanswered Question
Mar 31st, 2010

Hi All,

I have a wireless access point model 1242 with ACS server. Acs server is intigrated with windows domain. The user authentication is working ok but i would like to have a computer authentication setup. I am using PEAP with MS chapv2 on client machine and on access point using open authentication with EAP. ACS has its on certificate and client has the root certificate. I can see the acs server pulls the /host/machine name from AD but i am getting (EAP-TLS or PEAP authentication failed during SSL handshake) message on ACS server for computer authentication. What could be the problem? user authentication is working OK....

Does computer authentication require the EAP-TLS? I don't have client certificate in my setup.

I would be gratefull for any suggestion / help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kayle Miller Wed, 03/31/2010 - 09:17

If you wish to have the machine authenticate to the network as well, then you need to get a certificate for the name of the machine and verify that it's in the local machine store on the computer; then make some changes to the way the wireless is configured.

I have attached a basic flow of how it all gets setup..

hope this helps.

Robert.N.Barrett_2 Wed, 03/31/2010 - 22:02

You did not mention whether your clients are running Windows or Mac OS (or some mixture of OS's)?  If you are running in a pure Windows environment, it is very easy to enable PEAP machine authentication.  It sounds like you have properly enabled machine authentication on the client side (since you are seeing host/machine auth attempts in the ACS log), but have you enabled machine authentication on the ACS server?

Which version of ACS are you running (hopefully 4.2).

Read up on this:

ACS supports EAP-TLS, PEAP (EAP-MS-CHAPv2), and  PEAP (EAP-TLS) for machine authentication. You can enable each  separately on the Windows User Database Configuration page, which allows  a mix of computers that authenticate with EAP-TLS or PEAP  (EAP-MS-CHAPv2). Microsoft operating systems that perform machine  authentication might limit the user authentication protocol to the same  protocol that is used for machine authentication. For more information  about Microsoft operating systems and machine authentication, see Microsoft  Windows and Machine Authentication.

Windows User Database Support

ACS supports the use of Windows external user databases for:

User Authentication—For  information about the types of authentication that ACS supports with  Windows Security Accounts Manager (SAM) database or a Windows Active  Directory database, see Authentication  Protocol-Database Compatibility, page 1-8.

Machine Authentication—ACS  supports machine authentication with EAP-TLS and PEAP (EAP-MS-CHAPv2).  For more information, see EAP  and Windows Authentication.

Group Mapping for  Unknown Users— ACS supports group mapping for unknown users by  requesting group membership information from Windows user databases. For  more information about group mapping for users authenticated with a  Windows user database, see Group Mapping by Group  Set Membership, page 16-3.

Password-Aging—  ACS supports password aging for users who are authenticated by a Windows  user database. For more information, see User-Changeable  Passwords with Windows User Databases.

Dial-in Permissions—ACS  supports use of dial-in permissions from Windows user databases. For  more information, see Preparing  Users for Authenticating with Windows.

Callback Settings—ACS  supports use of callback settings from Windows user databases. For  information about configuring ACS to use Windows callback settings, see Setting the User  Callback Option, page 6-6.


This Discussion



Trending Topics - Security & Network