Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PEAP Machine Authentication fails

Hi All

I am using PEAP with the following setup

WLC 4404

ACS Solutions Engine 4.01 (self signed cert)

Windows AD database.

PEAP user authentication works fine.

The issue is, I need to only allow machines which are in AD as such I have configued Machine authentication.

However this is failing with the below log.

host/wks1.lnd.uk Authen failed EAP-TLS or PEAP authentication failed during SSL handshake

I have configured the ACS for PEAP machine auth in all required places and on the client. I have read lots of info saying I need to configure AD to allow Machine Authentications, and cert auto enrollment etc.., is this the case and if so whats the easiest way to do it?

Thanks in advance

Colin

18 REPLIES
New Member

Re: PEAP Machine Authentication fails

May have made some progress, as far as I can tell as long as the ACS cert is copied to the client and put in the Local Computer store. That I believe should be enough.

I think when I installed the ACS cert on the client I went with the default which is NOT the Local Computer store.

(This is not the same as installing an idependant cert on the client, but rather just the Local machine, trusting the ACS)

Thats my thoughts anyway, I'll give it a try tomorrow.

New Member

Re: PEAP Machine Authentication fails

OK

Logged into the laptop as a local admin and imported the ACS self signed cert in to: Physical Store: Trusted Root Cert Auths>Local Computer.

This had the effect that my Machine Auth now no longer fails with the SSL error but now fails with "External DB user invalid or bad password"

Unknown user policy is working as Domain user authentication is still working fine.

Anyone got any ideas?

Re: PEAP Machine Authentication fails

What username do you see in that "External DB User invalid" error in Failed Attempts log? Maybe it's "CN="?

New Member

Re: PEAP Machine Authentication fails

username in failure log is host/FQDM

ie host/laptop.x.x

New Member

Re: PEAP Machine Authentication fails

Hi colin,

will u able to solve the problem if yes then can you share the solution among us

New Member

Re: PEAP Machine Authentication fails

Hi Yes

Did solve the problem, in my case I just loaded the Agent on another server and all Machine Auth is now working perfectly and all login scripts etc run ok. So it must have been an issue between the Agent and the server which happened to be a DC. Another company had tried getting this working before and failed so I suspect they messed around with the Agent privilages on the DC.

I have drawn up a diagram showing all PEAP components end to end and what needs to be configured and how. If you want a copy let me know ur E-mail address.

Regards

Colin

New Member

Re: PEAP Machine Authentication fails

hi colin,

thanks 4 the reply. i desperately need ur help.

MY Emailid :pritam.panda1@wipro.com

Thanks again...

Re: PEAP Machine Authentication fails

Hi,

I'm experience quite same problem with machine authen failed with host/ in another Domain Forest. Anyway could you also send me your diagram and how to setup agent.

Thank you.

nuttea@mfec.co.th

New Member

Re: PEAP Machine Authentication fails

Hi Colin,

Please send me @

k.patel@tatacommunications.com

Thx

New Member

Re: PEAP Machine Authentication fails

Hi Colin,

Please send me a copy @:

jimhuangca@yahoo.ca

Thanks

New Member

Re: PEAP Machine Authentication fails

I'm in the process of implementing the same site, and I have presented a problem similar to yours I be able to obtain a copy of your diagram

pgonzalez@coasin.cl

Thank you very much

New Member

Re: PEAP Machine Authentication fails

Can you please send me a copy of that diagram to ernandcorb@msn.com. Thanks

New Member

Re: PEAP Machine Authentication fails

Hi Colin, Could you please send me a copy of your diagram to charlespdillon@gmail.com

Thanks

New Member

Re: PEAP Machine Authentication fails

Hi Colin, Could you also send me the solution? thanks a lot.

my email is jason.majie@gmail.com

Re: PEAP Machine Authentication fails

removed - wrong thread...sorry

New Member

Re: PEAP Machine Authentication fails

I'm in the process of deploying the same setup. Would I be able to get a copy of your diagram @

mrspiro@gmail.com

Thanks

New Member

Re: PEAP Machine Authentication fails

I am also trying to implement the same solution, would I be able to get a copy as well....farhan.mirza@gtsi.com..

Thanks

New Member

Re: PEAP Machine Authentication fails

Colin,

If you're still checking this board, I would appreciate a copy of this diagram as well.

ybaglakolov@gmail.com

Thanks

1777
Views
0
Helpful
18
Replies
CreatePlease to create content