05-23-2012 07:35 AM - edited 03-10-2019 07:06 PM
Hi Community,
we use Anyconnect Client for Machine Authentication. Authentication is for WLAN done by WLC that asks ACS5.3 that uses Active Directory as the identity store. You have enabled Machine Authentication and Machine Access Restrictions (MAR) with an Aging time of 2160 hours (90days).
Problem appears if user Hibernate or ACS is reloaded and machine Authentication timer expired. User need to Logout and wait or reboot that machine authenticates and then user can login again.
ACS logs:"ACS has not been able to confirm previous successful machine authentication for user in Active Directory"
Somebody mentined ther is a hiddeen feature in Anyconnect that allows machine authentication while user is logged in to the machine. Somebody know how to enable this?
Thank you.
05-23-2012 09:24 AM
I am not aware of any such hidden feature on AnyConnect that allows machine authentication while user is logged in
Two other comments here:
- There is a feature coming on any connect called "EAP-chaining" that will perform both user and machine authentication in the same request. It is currently a "beta" feature. Do not know the time frame for full availability
- I am assuming your issue may be due to ACS reloading or being redirected due to a load balancer. In ACS 5.4 there is a feature that allows replication of MAR cache information between groups of ACS servers in a deployment
07-22-2012 09:39 PM
I have similar issue with the machine authentication showing the same error message
The clients are connecting to wireless (Cisco WLC) successfuly but after idle for some time (random) it will get disconnected, and then fail to reconnect
The ACS shows
"ACS has not been able to confirm previous successful machine authentication for user in Active Directory" as well..
It can only be resolved after the client is rebooted or logged off
The aging timeout was set to 6 months so it should not be caused by this unless there's a bug
The ACS is using 5.2
Any idea?
Thanks
07-23-2012 09:41 PM
Yes,
This issue could be related to the WLC authenticating to a different ACS, do you have multiple ACS? If so then take a look at your monitoring reports and see if the user authentication was performed on a different acs then the machine authentication. The feature in 5.4 should avoid this behavior.
thanks,
Tarik Admani
*Please rate helpful posts*
07-24-2012 01:59 AM
Yes, we have multiple acs (primary & secondary)
That's what I suspected before but on the reports, it all shows only the primary ACS in the "ACS Instance"
So all the authentications were going to the 'correct' ACS but somehow the client gets disconnected and when they try to reconnect, it fails and the ACS shows the error message (not able to confirm previous successful machine authentication) when all the authentications went to this ACS instance and aging timeout has been configured for a long time..
Can you elaborate on how acs 5.4 might be able to resolve this issue?
07-24-2012 02:01 AM
How often does this occur, the only other reason would be if the services ever restarted on the ACS. What patch level are you on?
Tarik Admani
*Please rate helpful posts*
07-24-2012 02:07 AM
it happens randomly and only affect some users, so it's quite difficult to isolate the problem
we can troubleshoot only when the users complain they cannot connect and we found those complains are all the same from the ACS log
The issue can only be resolved if the users reboot the laptops which is not quite acceptable
The ACS service itself was never restarted
the patch is on 5-3-0-40-4
07-24-2012 02:45 AM
Are the clients that are complaining having issues because their machine authentication expired? Also what is the machine authentication period set to? It would be easier if you could track when the previous machine authentication occured. Also can you confirm if the users are always on wireless or are they on wired and when they move to a wireless connection then they see this problem? The reason is that the calling-station-id (mac address) is also a key factor in how machine authentication is tracked.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-25-2012 09:03 PM
After further troubleshooting,
The machine itself is always on wireless
But as for the username, most of the users says it's just used for wireless. Some users says they use their usernames on wired pc, but the wired pc should have a different mac so it should be the issue
The machine authentication period is 6 months so it should not get expired from the ACS..
but somehow when the clients get disconnected, somehow they can't reconnect since the ACS asks for another machine authentication
the ACS logs then show the error message..
Is there any way to see the machine authentication cache in the ACS?
07-26-2012 07:22 AM
At this point your best bet is to open a tac case in order to get specific directions on how to troubleshoot this issue. Also there is not a way to view the machine authentication cache on the ACS.
Thanks,
Tarik Admani
*Please rate helpful posts*
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: