03-15-2009 08:58 AM - edited 02-21-2020 10:23 AM
I am configured Cisco ACS 4.2 to authenticate wired network base on Active Directory windows 2003.
I am used PEAP Authentication on the network and everything was OK but I have a problem : because there are restriction on User Account about log on to just User's computer (in Active Directory User account Setting log on to user limit to a specific computer's ) the ACS can't authenticate Users and generate error log say that workstation not allowed. I was configured enable workstation restriction too in ACS but problem still existed.
There are ACS logs in the attachment.
03-15-2009 10:49 AM
Hi,
By default everyone who's authenticated on the ACS is authenticated against a workstation object called CISCO in AD.
So you need to create the workstation called CISCO and allow users to logon to this object.
Regards
12-03-2010 07:59 PM
How do we creat this obkject CISCO machice name . As mention is dhould be default it does no have this issue on ACS4.1
please advice, thanks
12-05-2010 02:39 AM
Hi,
It looks you have 3 problems here...translated into the 3 failed reasons you are seeing in the Failed Attempts:
1 - SH-RASTEGAR\26320 -> Windows workstation not allowed
2 - SH-RASTEGAR\26320 -> Windows External DB user access was denied due to a Machine Access Restriction
3 - host/4500-028.sh-rastegar.com -> Machine authentication is not permitted
Explanation:
-----------------
1 - This error means that the user is not allowed to login from the machine he is trying to login from. This is a setting of the AD and if you want to allow the user to login from this machine you have to change this security setting on the AD.
2 - This means that you have MAR (Machine Access Restriction) configured. And this means that a user can only login from a machine that has already passed machine authentication. If the machine did not authenticate yet successfully, you will get this message.
3 - This means that the machine "host/4500-028.sh-rastegar.com" tried to authenticate, however machine authentication is disabled on ACS. To enable it you need to check the matching box:
Enable PEAP machine authentication.
Enable EAP-TLS machine authentication.
This can be found under ACS GUI -> External User Database -> Database Configuration -> Windows Database -> Configure.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide