cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1078
Views
0
Helpful
7
Replies

ACS 5.4 and machine authentication

central_bank
Level 1
Level 1

Hi,

I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.

I have Authorization profile created as shown in attachement.

Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.

Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.

As soon as I disable this condition, user gets connected

I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.

Any Suggesions?

Regards,

Shivaji

7 Replies 7

edwjames
Level 3
Level 3

Hi Shivaji,

Could you go to the reporting section, open details (magnifying glass) on that report, there is a print to PDF on the top left?

Could you attach that PDF report over here?

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Hello Ed,

Attached is the log, since original logs contains sensitive infor, I have replaced domain names, IP add etc.

Regards.

Shivaji

Shivaji,

Remove Was machine authenticated= TRUE.

The reason is because how will Machine authentication request itself check if machine auth has passed in past.

Was machine authenticated is used for User authentication.

**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**

Please Rate if helpful.
Regards
Ed

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

Hello Ed,

I need this condition, I know when I disable this WiFi works but my objective is to make it work using "was machine authenticated" feature.

My clients have 2 types of certs on their machine one is user specific and other is machine specific. In case I do not use  "was machine authenticated" condition, user can connect using user specific cert only which I dont want.

I want machine to be authenticated and not user before it is connected to WiFI

Regards,

Shivaji

Shivaji,

The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.

When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.

In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.

I hope this bring some clarification to Edward's recommendation.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hello Tarik,

You are absolutely correct. I have to make sure that users are joining using laptops which are in domain and should not join using smart phones or non domain machine

Regards,

Shivaji

Hi,

I got it now, there is a seperate tab in ACS 5.4 for Machine Access Restriction under User and Identity stores--> Active Directory

which has to be enabled.

Thanks for your inputs guys

Regards,

Shivaji

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: