Currently we are using ACS to authenticate VPN user for two domain.In the same ACS we want to configure machine authentication + PEAP + Self Signed Certificate.Now clients are authenticated with a valid username and password in any of the domain but machine authentication is not happening.
Our Requirement :we want to acheive machine authentication and user authentication simultaneously. i.e. Computers which are added to particular group with a valid username and password can only access the network.If any one of above requirement is not fulfill then end host cannot access the network.
Can anyone suggest what configuration required to acheive our requirement?
Note: We are using same ACS for VPN authentication.
Could you let us know how you configured the clients for machine authentication? Also - what kind of machine authentication are you trying to use and what kind of clients you have (PEAP, Windows, Mac, Linux, etc.). Lastly, what database has your machine account information? Active Directory?
3. Authenticate as computer when computer information is available is (checked)
4. Validated server certificate is (unchecked)
5. Authentication Method is: EAP- MSCHAPv2
ACS External Database Configuration:
Tick "Enable PEAP machine authentication".
Tick "Enable Machine Access Restrictions".
Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".
We are using Windows AD database as external database.
Currently we have created one wireless group in AD which is mapped to a group in ACS and the ACS group is mapped to the SSID in WLC. We are trying to authenticate the computer which are added to the Wireless AD group. But currently all users which are there in the AD are authenticate by their Username/password instead of machine authentication ( computer which are present in the group).
In WLC, client details showing domain\username instead of host/computer name.
Your quick response would be highly appreciated!!!!!!
I don't see anything wrong with the config, but I'm not sure how you know that machine authentication is not working. What are you seeing in the passed and failed authentication logs? Since it looks like you have enabled machine authentication on the client, you should see something in the ACS passed and failed authentication logs showing that the machine attempted to authenticate.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...