Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.2 Problem

I am configured Cisco ACS 4.2 to authenticate wired network base on Active Directory windows 2003.

I am used PEAP Authentication on the network and everything was OK but I have a problem : because there are restriction on User Account about log on to just User's computer (in Active Directory User account Setting log on to user limit to a specific computer's ) the ACS can't authenticate Users and generate error log say that workstation not allowed. I was configured enable workstation restriction too in ACS but problem still existed.

There are ACS logs in the attachment.

3 REPLIES
Bronze

Re: ACS 4.2 Problem

Hi,

By default everyone who's authenticated on the ACS is authenticated against a workstation object called CISCO in AD.

So you need to create the workstation called CISCO and allow users to logon to this object.

Regards

New Member

Re: ACS 4.2 Problem

How do we creat this obkject CISCO machice name . As mention is dhould be default it does no have this issue on ACS4.1

please advice, thanks

Cisco Employee

Re: ACS 4.2 Problem

Hi,

It looks you have 3 problems here...translated into the 3 failed reasons you are seeing in the Failed Attempts:

1 - SH-RASTEGAR\26320 -> Windows workstation not allowed
2 - SH-RASTEGAR\26320 -> Windows External DB user access was denied due to a Machine Access Restriction

3 - host/4500-028.sh-rastegar.com -> Machine authentication is not permitted

Explanation:

-----------------

1 - This error means that the user is not allowed to login from the machine he is trying to login from. This is a setting of the AD and if you want to allow the user to login from this machine you have to change this security setting on the AD.

2 - This means that you have MAR (Machine Access Restriction) configured. And this means that a user can only login from a machine that has already passed machine authentication. If the machine did not authenticate yet successfully, you will get this message.

3 - This means that the machine "host/4500-028.sh-rastegar.com" tried to authenticate, however machine authentication is disabled on ACS. To enable it you need to check the matching box:

Enable PEAP machine authentication.
Enable EAP-TLS machine authentication.

This can be found under ACS GUI -> External User Database -> Database Configuration -> Windows Database -> Configure.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

1351
Views
5
Helpful
3
Replies
CreatePlease login to create content