Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Machine Authentication

I'm trying to implement Machine Authentication with PEAP ans ACS. Computers authenticate ok (due to ACS log) and users authenticate ok too.

When I enable Machine Access Restriction in ACS, authentication fails due to Machine Access Restriction.

Why is that ?

Is is posible to add two different Windows Groups to one ACS group, to make it a logical AND operator ?

Example: ACS Group 10 contains Windows User Group 1 and Windows Computer Group 1. If computer is not in the list, authentication fails because of AND operator...



Community Member

Re: Machine Authentication

We ended up nesting domain-computers & domain-users under the same AD group. Called id domain-dot1x and used that for the acs group matching. Works great. One caveat.. Had a few random issues w/ the ACS remote agent running on the domain controller. Seems after some time (months usually) the agents stops processing machine (computer) accounts, but will continue to authenticate user accounts. Upgrading to 4.1.4 this weekend to see if that helps.

Community Member

Re: Machine Authentication

I'm curious. what client/supplicant are you using? We're trying to do something similar, PEAP & ACS, but it seems like only the WindowsXP supplicant sends machine credentials thus are the only machines that authenticate.

Other clients we've tried are Cisco ADU, Juniper Odyssey & a Dell supplied utility.

Enabling Machine Access Restriction stops all but the XP clients.

Community Member

Re: Machine Authentication

You need to point it to your domain in your global authentication. It then should query AD and find the machines. This works fine for us with 100+ machines. We are doing EAP-TLS but it shouldn't matter.

CreatePlease to create content