01-03-2014 03:49 AM - edited 03-10-2019 09:14 PM
Hi,
I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
I have Authorization profile created as shown in attachement.
Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
As soon as I disable this condition, user gets connected
I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
Any Suggesions?
Regards,
Shivaji
01-03-2014 04:41 AM
Hi Shivaji,
Could you go to the reporting section, open details (magnifying glass) on that report, there is a print to PDF on the top left?
Could you attach that PDF report over here?
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
01-03-2014 07:39 AM
01-03-2014 08:56 AM
Shivaji,
Remove Was machine authenticated= TRUE.
The reason is because how will Machine authentication request itself check if machine auth has passed in past.
Was machine authenticated is used for User authentication.
**Share your knowledge. It’s a way to achieve immortality.
--Dalai Lama**
Please Rate if helpful.
Regards
Ed
01-05-2014 03:01 AM
Hello Ed,
I need this condition, I know when I disable this WiFi works but my objective is to make it work using "was machine authenticated" feature.
My clients have 2 types of certs on their machine one is user specific and other is machine specific. In case I do not use "was machine authenticated" condition, user can connect using user specific cert only which I dont want.
I want machine to be authenticated and not user before it is connected to WiFI
Regards,
Shivaji
01-05-2014 09:54 AM
Shivaji,
The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
I hope this bring some clarification to Edward's recommendation.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-06-2014 12:17 AM
Hello Tarik,
You are absolutely correct. I have to make sure that users are joining using laptops which are in domain and should not join using smart phones or non domain machine
Regards,
Shivaji
01-06-2014 03:34 AM
Hi,
I got it now, there is a seperate tab in ACS 5.4 for Machine Access Restriction under User and Identity stores--> Active Directory
which has to be enabled.
Thanks for your inputs guys
Regards,
Shivaji
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: