08-06-2007 08:38 AM - edited 03-10-2019 03:19 PM
Hello
I want to know if some GPO parameters can prevent computer authentication 802.1X ?
Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only
And certain PC works fine and other not
And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK
If you have a solution to prevent out/in PC in the domain ?
Thanks for your help
08-06-2007 09:07 AM
Hi,
I don't think so. What is the error you get on acs when computer fails authentication ?
08-06-2007 10:03 PM
Reply ACS :
06/08/2007 17:20:46 Authen failed host/gval1080.XXX.XX Laptop 00-16-D3-39-7D-85 (Default) External DB user invalid or bad password .. .. 50007 10.253.104.94 .. .. 25 MS-PEAP .. gvanet01 ..
08-07-2007 04:52 AM
I would also need logs from remote agent.
ACS appliance---->System Configuration --> Service Control --> Level of detail - Full At this point, we need to duplicate the issue.
Now collect logs from remote agent,
C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs
I need only cswinagent logs. I'm assuming acs is on 4.1.1 23 ?
We need to make sure that acs and remote agent are sitting on same code,
Lets cross check that , on RA computer go to dos and change prompt to
C:\Program Files\Cisco\CiscoSecure ACS Agent\bin
Type csagent.exe -v and press Enter
Regards,
~JG
08-07-2007 05:27 AM
Hello
When i do the command csagent -v the result is:
ACSRemoteAgent version 4.1(3.12)
and I have an Appliance ACS:
Cisco Secure ACS 4.1.3.12
Appliance Management Software 4.1.3.12
Appliance Base Image 4.1.1.4
CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
and in the file cswinAgent i have this error
CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST
CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
I don't know if this that you want
I have just change the domain name (DOMAIN-TEST) to confidential resaon
Thanks
08-07-2007 05:55 AM
Make sure that remote agent has proper permission assigned. ie act as a part of operating system and login as service/batch
Also on which operating system we have remote agent installed, please note that RA is not supported on win2003 SP2
Regards,
~JG
08-07-2007 06:09 AM
The CSAgent is installed on a Windows 2003 Server with SP2 and it's work fine because the most part of Computer account are correctly authenticate.
The link between ACS and AD is do by an another server where the agent is install
When you disconnect and reconnect a PC to the domain the authentication is OK and all work fine.
I think is not an ACS or Agent problem but an AD Problem with the Password integration but I m not sure
the persmission on the agent is set as you say
08-07-2007 07:17 AM
There are no GPO parameters that can stop 1X from working. If you disconnect/reconnect to the domain, this is probably refreshing something that's stale on AD. 802.1X is the victim here. Mind you, network access is not there, but this sounds like a supplicant problem.
From the log snippet, looks like the machine's password is aged out. And you mentioned you were doing machine-auth only.
For Active Directory by default, the machine password that the client receives from AD
expires every 30 days. When this happens - the machine can not get authenticated and there is no provision for the machine password to be regenerated over the EAP session between the client and Domain Controller. It's just broken and network access is denied.
There is a bug with regard to how NETLOGON interacts with MS-CHAP. The system simply fails to allow the expired machine password
to be regenerated as is the case with User Authentication. AFAIK, there's no fix for this .. even in Vista.
So for customers just trying to do MSFT Machine Authentication without
User Authentication as fallback - it's not really a workable solution unfortunately.
Hope this helps,
P.s. Can you try to enable user-auth to confirm this?
08-07-2007 08:01 AM
Thank you for your help
We doing an Machine authentication only because is work fine under Windows XP and don't prevent GPO application on the login or other thinks...
we work on this type of architecture under 3 workstations since few month without problems
we change a parameters on User Account that permit to prepare laptop ( parameter : Store password using reversible encryption) and it's seem to solve the problem for newly install laptop. I will test more when I have new Laptop.
Sorry but I can't enable User authentication on the network for production reason
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: