Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bronze

Machine authentication for ACS5.1

Hi, I met a problem with machine authentication. Following is the conditions::

1. WLC5508, version 6.0.196

2. ACS 5.1.0.44

3. WIN AD

4. PEAP-MSCHAPv2+machine authentication

the machine auth failed, I checked the log, it says Machine not found in AD:

11001  Received RADIUS Access-Request
11017  RADIUS created a new session
Evaluating Service Selection Policy
15004  Matched rule
15012  Selected Access Service - WLAN Access Policy
11507  Extracted EAP-Response/Identity
12300  Prepared EAP-Request proposing PEAP with challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318  Successfully negotiated PEAP version 0
12800  Extracted first TLS record; TLS handshake started.
12805  Extracted TLS ClientHello message.
12806  Prepared TLS ServerHello message.
12807  Prepared TLS Certificate message.
12810  Prepared TLS ServerDone message.
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12318  Successfully negotiated PEAP version 0
12812  Extracted TLS ClientKeyExchange message.
12804  Extracted TLS Finished message.
12801  Prepared TLS ChangeCipherSpec message.
12802  Prepared TLS Finished message.
12816  TLS handshake succeeded.
12310  PEAP full handshake finished successfully
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12313  PEAP inner method started
11521  Prepared EAP-Request/Identity for inner EAP method
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
11522  Extracted EAP-Response/Identity for inner EAP method
11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006  Matched Default Rule
15013  Selected Identity Store -
24431  Authenticating machine against Active Directory
24437  Machine not found in Active Directory
22056  Subject not found in the applicable identity store(s).
22058  The advanced option that is configured for an unknown user is used.
22061  The 'Reject' advanced option is configured in case of a failed authentication request.
11823  EAP-MSCHAP authentication attempt failed
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
5411  EAP session timed out

However this machine account definately is in the AD, what's wrong? Any idea? Thanks in advance!

22 REPLIES

Re: Machine authentication for ACS5.1

Did you enable machine auth on the ACS server (Users and Identity Stores --> External Identiry Stores --> Active Directory, check the Enable Machine Authentication box)?

Also - under Access Policies --> Access Services, on the Allowed Protocols tab, did you enable the "Process Host Lookup" option?

Bronze

Re: Machine authentication for ACS5.1

Finally we found it is the AD's issue, after we dis-join the computer from AD, then rejoined AD, then everything was fine. Don't know what happened to AD's computer group, probably a bug of the AD.

Cisco Employee

Re: Machine authentication for ACS5.1

bbxie I stumpled on your post here and I want to ask you a for a huge favor!!

I have been trying to get our wireless controller to work with ACS 5.1 to challenge both the users and the machines to authenticate via PEAP. We want the user to have valid AD credentials while the machine has to be part of AD as well.

So far I have spent over 10 hours with TAC and we haven't been able to get this to work. I see that you have succeeded and I am wondering if you are willing to share your configuration information on the ACS end (some screen shots, etc)

Thank you so much in advance

Bronze

Re: Machine authentication for ACS5.1

I don't have the screenshot at hand now, however what I did to make it work are:

1. Join the ACS to AD and enable Machine Auth and MAR, select both user and machine groups in the Directory Groups

2. Create an WLAN access policy, enable PEAP-MSCHAPv2/Process Host Lookup, define conditions by using Identity Group and Was Machine Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

Cisco Employee

Re: Machine authentication for ACS5.1

bbxie:

Thank you for the response. I had already created most of the configurations that you suggested but was stuck on the authorization rules.

I created the following rules under my "TEST" policy:

Rule #1

Rule #2

I think the rules above are what you were referring to. However, I am facing several issues:

1. I am still able to authenticate users with machines that are NOT part of our domain. On the machine end, if I chose computer authentication then it fails. However, if I set the computer to try with user authentication and then type valid AD credentials then the authentication succeeds

2. Computers that are part of the domain are not able to authenticate. I am getting the following error in ACS

Appreciate your feedback

Bronze

Re: Machine authentication for ACS5.1

From your screenshot, the client faied in the "Evaluating Group Mapping Policy", after "
12304  Extracted EAP-Response containing PEAP challenge-response", it says "client sent result TLV indicating failure"
For the normal process, this should be sth like:
12304  Extracted EAP-Response containing PEAP challenge-response
11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814  Inner EAP-MSCHAP authentication succeeded
11519  Prepared EAP-Success for inner EAP method
12314  PEAP inner method finished successfully
12305  Prepared EAP-Request with another PEAP challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12304  Extracted EAP-Response containing PEAP challenge-response
12306  PEAP authentication succeeded
11503  Prepared EAP-Success


It seems your configuration on MSCHAP has some problem, so double check your PEAP-MSCHAPv2 configuration on both the client and the ACS. In ACS5.1, it should looks like:

in client, it should looks like:

BTW, what had you configured for group mapping? In your case, it seems not need it because in Authorization policy, you just used AD1:ExternalGroups instead of Identity Group.

If you can paste your configured AD parameter(General, Directory Groups, Directory Attributes), access policy(General, Allowed Protocol, Identity, Group Mapping, Authorization), all the steps for the failed auth(including Evaluating Service Selection Policy, Evaluating Identity Policy, Evaluating Group Mapping Policy,Evaluating Authorization Policy), it can help to troubleshoot your problem.

Cisco Employee

Re: Machine authentication for ACS5.1

I have checked and confirmed that my configurations are the same on the "allowed prototols"

I can get screen shots of everything that you mentioned but it will take a couple of days

In the mean time can you clarify to me what you meant by "BTW, what had you configured for group mapping? In your case, it seems not need it because in Authorization policy, you just used AD1:ExternalGroups instead of Identity Group." ?

From that statement I am guessing that you are not using the "authorization" rules but something else with the group mappings? However, I don't see any way to do that. When I looked at the "Identity Group" all I can see are options for groups/users that are in the internal database. I can only see our "AD" groups when I choose the AD1:ExternalGroups.

Is there any chance you can paste screen shots of your wireless Access Policy that way I can compare them to mine. I feel like I have everything else figured out. It will be great if you can provide screen shots of the following:

-Identity

-Group Mapping

-Authorizatoin

Thanks,

Bronze

Re: Machine authentication for ACS5.1

Sorry, because there are a lot of customer's security information in those screenshots, I can't paste them here, my customer often visit this forum, if I paste those things here, I will be in trouble.

Although I can't paste my screenshot here, my configuration steps already been included in my previous post, for the WLAN access policy, I use AD1 as Identtity, not configured group mapping, in Authorization part, I defined that if the AD1:External contains the computer group's name, then permit.

What I mean regarding to the group mapping part is that from your screenshot, the Auth failed in the group mapping part. Since in the Authorization policy part, you use AD1:External instead of Identity group, so you actually don't need to enable Group mapping. So to make it simple, you can just disable group mapping, then you don't need to troubleshoot the group mapping, you can focus on other things.

Yous screenshot of the Authorization part seems ok. After you disable group mapping, you can redo the test, if it failed again, to troubleshoot it, you can check the Radius log, click detail of the failing log, copy and paste all the steps happened for the failed Auth.

Community Member

Re: Machine authentication for ACS5.1

Hi,

i think on the client side to enable dot1x with username password credential only, you need to uncheck the "validate certiicate" so it won't verify certifcate, if not the client connection will be timeout

regards,

Cisco Employee

Re: Machine authentication for ACS5.1

I got this sorted out via the authorization rules. I also had to disable "allow fast re-connect" and that took care of the issue

Cisco Employee

Re: Machine authentication for ACS5.1

Friends ,

I have a requirement where I deny access to systems that is not part of the domain.

Our current environment is dot1x (PEAP) based on username and it doesn’t check if the machine is valid machine on a domain.

I was thinking about machine auth and when checked I find that you need certs on the machines to do machine auth.

Currently we don’t have a PKI infrastructure in place to have certs issues to machine.

The other option would be do NAC, but that is not an easy solution.

Need some quick solution to prevent machines not in domain to access the corporate network.

The problem that we face is people come to the office with the Iphones/Ipads/Blackberries and join the corporate network based on the user name, though this devices are not of corporate standard.

Community Member

Re: Machine authentication for ACS5.1

Hi Sandjose,

basically you can enable the machine authentication on "external database" active directory. and you don't need any certifcate to allow user machine access.

as long those PC is registered / join your domain and your default policy is working fine (permit), then you can ensure that the client PC is able to access domain.

you can also apply policy to ensure only machine/computer registered in domain can access the network (even they have valid username/password) they need to have legal machine (pc/notebook) that registered on domain.

you can enable this by activate "was machine authenticated" customize" rule. you can look about it discussed on another thread.

https://supportforums.cisco.com/message/3232125#3232125

for those machine not registered, you can either do Mac-authentication bypass (MAB) or create temporary user/password (without validate machine authorities). for security concern maybe you will need to specific lifetime for this rule or user/password.

HTH.

Regards,

Community Member

Re: Machine authentication for ACS5.1

Good to hear it's working

Cisco Employee

Re: Machine authentication for ACS5.1

Hello Tom,

There are several things that you have to do before the machine authentication can work:

1. Under Users and Identity stores > Active Directory: Make sure:

1. Make sure that the machine is joined to your domain and you can see the needed groups under Directory Groups

2. Check the box "enable machine authentication"

3. Aging time (hours): Once a machine is authenticated this timer starts to tick. Once the time is up the machine would have to be restarted in order for machine authentication to re-occur.

Under Access Policies create the following:

1. An access service called Wireless network accesss ( or whatever you like), Under the General page select Network Access for Access Service Policy Structure and tick the following boxes: Identify and Authorization then click next. In the Allowed Protocols check Process Host Lookup and Allow PEAP. Hit submit. After the policy is created go back to it and edit the follwoing:

For Identity: select AD

For Authorization create two rules:

     Rule 1: Condition #1 System:UserName: Starts with : host/ ... Condition #2 Protocol: Match : Radius ... Authorization profile: Permit Access

     Rule 2: Condition #1 Was Machine Authenticated = True ... Authorization profile: Permit Access

For If no rules defined or no enabled rule matches: DenyAccess

Finally, create a rule in the Service Selection Rule with the following conditions:

1. Protocol: match: Radius

2. NS-IP-Address = the IP address of your controller

3. Service: The service policy that you created in the previous step

Let me know how it goes

12104
Views
0
Helpful
22
Replies
CreatePlease to create content