Machine Access Restriction Timeout

Unanswered Question
May 23rd, 2012

Hi Community,

we use  Anyconnect Client for Machine Authentication. Authentication is for  WLAN done by WLC that asks ACS5.3 that uses Active Directory as the identity store. You have enabled Machine Authentication and Machine  Access Restrictions (MAR) with an Aging time of 2160 hours (90days).

Problem  appears if user Hibernate or ACS is reloaded and machine Authentication  timer expired. User need to Logout and wait or reboot that machine  authenticates and then user can login again.

ACS logs:"ACS has not been able to confirm previous successful machine authentication for user in Active Directory"

Somebody mentined ther is a hiddeen feature in Anyconnect that allows machine authentication while user is logged in to the machine. Somebody know how to enable this?

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jrabinow Wed, 05/23/2012 - 09:24

I am not aware of any such hidden feature on AnyConnect that allows machine authentication while user is logged in

Two other comments here:

- There is a feature coming on any connect called "EAP-chaining" that will perform both user and machine authentication in the same request. It is currently a "beta" feature. Do not know the time frame for full availability

- I am assuming your issue may be due to ACS reloading or being redirected due to a load balancer. In ACS 5.4 there is a feature that allows replication of MAR cache information between groups of ACS servers in a deployment

hranevuts Sun, 07/22/2012 - 21:39

I have similar issue with the machine authentication showing the same error message

The clients are connecting to wireless (Cisco WLC) successfuly but after idle for some time (random) it will get disconnected, and then fail to reconnect

The ACS shows

"ACS has not been able to confirm previous successful machine authentication for user in Active Directory" as well..

It can only be resolved after the client is rebooted or logged off

The aging timeout was set to 6 months so it should not be caused by this unless there's a bug

The ACS is using 5.2

Any idea?

Thanks

Tarik Admani Mon, 07/23/2012 - 21:41

Yes,

This issue could be related to the WLC authenticating to a different ACS, do you have multiple ACS? If so then take a look at your monitoring reports and see if the user authentication was performed on a different acs then the machine authentication. The feature in 5.4 should avoid this behavior.

thanks,

Tarik Admani
*Please rate helpful posts*

hranevuts Tue, 07/24/2012 - 01:59

Yes, we have multiple acs (primary & secondary)

That's what I suspected before but on the reports, it all shows only the primary ACS in the "ACS Instance"

So all the authentications were going to the 'correct' ACS but somehow the client gets disconnected and when they try to reconnect, it fails and the ACS shows the error message (not able to confirm previous successful machine authentication) when all the authentications went to this ACS instance and aging timeout has been configured for a long time..

Can you elaborate on how acs 5.4 might be able to resolve this issue?

Tarik Admani Tue, 07/24/2012 - 02:01

How often does this occur, the only other reason would be if the services ever restarted on the ACS. What patch level are you on?

Tarik Admani
*Please rate helpful posts*

hranevuts Tue, 07/24/2012 - 02:07

it happens randomly and only affect some users, so it's quite difficult to isolate the problem

we can troubleshoot only when the users complain they cannot connect and we found those complains are all the same from the ACS log

The issue can only be resolved if the users reboot the laptops which is not quite acceptable

The ACS service itself was never restarted

the patch is on 5-3-0-40-4

Tarik Admani Tue, 07/24/2012 - 02:45

Are the clients that are complaining having issues because their machine authentication expired? Also what is the machine authentication period set to? It would be easier if you could track when the previous machine authentication occured. Also can you confirm if the users are always on wireless or are they on wired and when they move to a wireless connection then they see this problem? The reason is that the calling-station-id (mac address) is also a key factor in how machine authentication is tracked.

Thanks,

Tarik Admani
*Please rate helpful posts*

hranevuts Wed, 07/25/2012 - 21:03

After further troubleshooting,

The machine itself is always on wireless

But as for the username, most of the users says it's just used for wireless. Some users says they use their usernames on wired pc, but the wired pc should have a different mac so it should be the issue

The machine authentication period is 6 months so it should not get expired from the ACS..

but somehow when the clients get disconnected, somehow they can't reconnect since the ACS asks for another machine authentication

the ACS logs then show the error message..

Is there any way to see the machine authentication cache in the ACS?

Tarik Admani Thu, 07/26/2012 - 07:22

At this point your best bet is to open a tac case in order to get specific directions on how to troubleshoot this issue. Also there is not a way to view the machine authentication cache on the ACS.

Thanks,

Tarik Admani
*Please rate helpful posts*

Actions

Login or Register to take actions

This Discussion

Posted May 23, 2012 at 7:35 AM
Stats:
Replies:9 Avg. Rating:
Views:1642 Votes:0
Shares:0

Related Content

Discussions Leaderboard