Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 PEAP-MSCHAPv2 Windows XP SP3 WIRED Workstation

Hi,

I have PEAP-MSCHAPv2 working with user name, but can't seem to get "machine authentication only" working. I need to logon to the domain using username and password before it is 802.1x authenticated. I want 802.1x to authenticate using only machine credentials and not having to use username.

After I edited workstation xml profile to have include <authmode>machine</authmode> and then re-import it, 802.1x stops working. It is only after reversing it that 802.1x starts working again.

Is it possible to do peap-mschapv2 with wired workstation? I have seen lots of example using wireless, but none with wired, not sure if this is possible.

In ACS 5.2 I have check the box to allow machine authentication under the active directory container external database section.

Thanks

4 REPLIES
Cisco Employee

Re: ACS 5.2 PEAP-MSCHAPv2 Windows XP SP3 WIRED Workstation

Hi,


I would take a look at this doc:

https://supportforums.cisco.com/docs/DOC-13545.

It is a full config example of dot1x in switches using AD.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: ACS 5.2 PEAP-MSCHAPv2 Windows XP SP3 WIRED Workstation

Hi,

Authenticate the computers against AD/Domain Cumputers group. ACS sees windows xp comuter names like this:

host/hostname.domainname.

Regards,

Andras

New Member

Re: ACS 5.2 PEAP-MSCHAPv2 Windows XP SP3 WIRED Workstation

Thanks,

In ACS 5.2 is there a section to type in the format of the XP host computer name?

I didn't configure this on the ACS 5.2.

Cheers

New Member

Re: ACS 5.2 PEAP-MSCHAPv2 Windows XP SP3 WIRED Workstation

I have not configured ACS 5.2 yet. Just ACS 5.1 I would do this way:

Under Access policies create new Network Access Authorization Policy

Create an Authorization Profile, there use

Dictionary:RADIUS-IETF

Attribure: User-Name

Operator: starts with

Value: host

And for this create a separate Authorization profile under Policy Elements.

Best Regards,

Andras

1123
Views
5
Helpful
4
Replies