Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Machine Authentication not happening with MAR


WLC (4402)5.1.163

AD 2003 Server

Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.

Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.

Can anyone suggest what configuration required to acheive our requirement?

Note: We are using same ACS for VPN authentication.


Re: Machine Authentication not happening with MAR

Could you let us know how you configured the clients for machine authentication? Also - what kind of machine authentication are you trying to use and what kind of clients you have (PEAP, Windows, Mac, Linux, etc.). Lastly, what database has your machine account information? Active Directory?

New Member

Re: Machine Authentication not happening with MAR

Currently we are using WindowXP SP3.

Client Configuration:

1. network Authentication: WPA + TKIP

2. EAP type: Protected EAP(PEAP)

3. Authenticate as computer when computer information is available is (checked)

4. Validated server certificate is (unchecked)

5. Authentication Method is: EAP- MSCHAPv2

ACS External Database Configuration:

Tick "Enable PEAP machine authentication".

Tick "Enable Machine Access Restrictions".

Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".

We are using Windows AD database as external database.

Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).

In WLC, client details showing domain\username instead of host/computer name.

Your quick response would be highly appreciated!!!!!!

Re: Machine Authentication not happening with MAR

I don't see anything wrong with the config, but I'm not sure how you know that machine authentication is not working. What are you seeing in the passed and failed authentication logs? Since it looks like you have enabled machine authentication on the client, you should see something in the ACS passed and failed authentication logs showing that the machine attempted to authenticate.

CreatePlease to create content