Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Banging my head bad! Need help w/machine authentication

I have spend the past two weeks, yes sadly so, trying to figure out how to get my WLAN to authenticate computers and users. I originally set up my infrastructure so that my clients connected to an AP, the AP had a WLSE as a RADIUS which then passed the credentials to Active Directory via Cisco Secure Agent for use authentication. This worked, but when my users log off, the machine loses network connectivity so I need to get the "Authenticate as computer when available working". From what I can tell, the WLSE and Cisco ACS agent for Windows does not support machine authentication. My plan was to install IAS and a certificate server on my domain and have that act as the radius server instead of the WLSE and ACS. I installed those, but never go any luck with authentication. I read somewhere that it may not be possible to use IAS and WDS together and I do have one of my access points setup as WDS.

My question is does anyone know of a way that I can enable machine authentication without so much pain. It would excellent if I could do this using the WLSE and possibly ACS. I was even hoping that Cisco may have a supplicant that offered such authentication without the pain.

I need the network to be secure, WPA2 and AES preferred, because it is for health care.

Any suggestions. I am really at a loss here. I thought for sure that the IAS server would have been the solution, but no dice.

Thanks so much.

Cisco Employee

Re: Banging my head bad! Need help w/machine authentication


you are correct,WLSE Express does not support Machine Authentication but this can be done with WLC and ACS




1] On the WLC Web GUI:

Security>RADIUS authentication>New>

2] Add ACS server IP, ASCII Shared secret, port number and check the boxes for network user, management, IPSEC if used for AAA authentication

3] On the ACS server: Network Configuration>Add entry>

4] Add WLC hostname, IP address and matching shared key, for authenticate using select RADIUS Cisco Aironet or Cisco Airespace if using ACS 4.0/4.2

To configure the WLC so AP's authenticate against ACS:

5] On the WLC:

Security>AP Policies>Select the checkbox for Authorize APs against AAA

6] On the ACS server:

Create an account for the client, based on its MAC address. For example, if the MAC address of the client is 00-15-C5-3A-E4-0D

Username : 0015c53ae40d

Password : 0015c53ae40d

Add a user account for the MAC address of the AP with no dots or dashes, the password will also be the MAC address of the AP with no dots or dashes.


With ACS, I would like to know what EAP flavor are you using along with MAC authentication.

You may go through the following link as per your requirement, I understand that reviewing link is not less than any pain but this is something we have very precise for you.

LEAP/MAC Authentication


Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication

Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication

On the windows xp sp 2 clients we can force machine , user or both the authentication by registry tweak.



Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**