Machine Authentication and User Authentication with ACS v5.1... how?

Unanswered Question
Sep 10th, 2010
User Badges:


I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.

This is the goal:

On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.

Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.

I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.

I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:

"Certificate Dictionary:Common Name contains .admin.testdomain.lan"

But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?

I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
grnetcomss Wed, 09/29/2010 - 13:18
User Badges:

subscribed... i want to know this answer as well...

dal@alesund.kom... Tue, 10/05/2010 - 14:08
User Badges:

Hello again.

I found out how to do this now..

What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.

After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.

You must also remember to change the AuthMode option in Windows XP Registry to "1".

What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.

That would have plugged a few security holes for me.


This Discussion