Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS Machine only Authentication with Cisco ACS Appliance (and WinXP LT)

Hi all,

Is it possible to have a the following

LT --------WCS ---------ACS ---------RA ------AD DC

Now is it possible to have the Laptop just use EAP-TLS Machine auth to the ACS only, without using the external AD?

The plan is to use AD eventually, but for a proof-of-concept, just would like the LT for this stage to machine auth with the ACS?

All the correct certs are on the ACS and LT.

The LT is connecting to the ACS but in the faulied radius attempts, we get the following :-

Machine authentication is not permitted

I thought I may have to set up a user name in the ACS internal DB with the hostname of the LT, but then you have to set a password, so now I am thinking that this is not possible?

Im sure ACS should be able to do a full machine eap-tls auth with a laptop?

If anyone could help?

Many thx

Ken

1 REPLY
New Member

Re: EAP-TLS Machine only Authentication with Cisco ACS Appliance

You need AD to verify that the machine is a domain memeber(Machine Auth). What kinfd of certs are you using for the ACS and client? Also there is a registry key that must be changed to allow the supplicant to use machine based instead of user based[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"AuthMode"=dword:00000002

"SupplicantMode"=dword:00000003

The auth mode 2 makes it machine based, and SupplicantMode 3 makes it send a EAP packet first. You might try to uncheck the machine auth box and just put the machine name as a user.

437
Views
0
Helpful
1
Replies
CreatePlease to create content