Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

PEAP with MSCHAPv2 and machine level authentication

Our Wireless is currently in a LEAP environement where we are protected or exposed based on our AD user accounts. I would like to migrate our environemnt to PEAP with MSCHAPv2 using machine level authentication to allow for login scripts and group policy processing and in theory better security. We currently have Cisco 1200 AP's running IOS(version c1200-k9w7-tar.123-8.JA2), Cisco Secure ACS 3.3.3 and Windows 2003 AD. All of the clients are XP based SP2 and later. I have configured all of the components including the Automatic Certificate Request and Computer Wireless settings with group policy and all works fine. The problem that I am having is that I wanted to verify that I had the ability to disable a clients ability to connect to the network based on it being in a wirless security AD group. If the computer is removed from the AD group which was previously allowing machine athentication then ACS reports that the machine failed to authenticate but I am still able to go to the PC and login, obtain an IP address and get on the network. When the machine is not in this AD group it maps to a group with no privledges in ACS. I have machine level restrictions enabled and have changed the aging timer to 1 hour. I have also changed the " Group map for successful user authentication without machine authentication to "NO ACCESS" but is still lets me authenticate and connect. Now that I have changed the aging timer from 12 to 1 hour after waiting 30-45 minutes it will eventually cause the user to fail authentication with "External DB user access denied (Machine Access Restriction. Is there a way for this to happen instantly(or within a minute or two) when a computer is moved from the appropriate AD security group? Also this is not a domain sycing issue as I have manually foced replication many times in testing. This is driving me crazy after about 8 hours... Any help appreciated.


Re: PEAP with MSCHAPv2 and machine level authentication

Hi Michael,

did you try a "gpupdate /force" on the DC after moving the client?Maybe a look in this document gives you the right hint.

Protected EAP (PEAP) Application Note

Best regards,


Re: PEAP with MSCHAPv2 and machine level authentication

Machine group membership changes in AD only take effect immediately if you reboot the machine in question. GPUPDATE/FORCE won't do it.

New Member

Re: PEAP with MSCHAPv2 and machine level authentication

When you say that the group membership does not take effect are you talking about on the domain or on the client? Rebooting the client does not seem to matter. Even if I reboot the client after it is removed from the AD group with wireless permissions it let's the PC on the LAN. Again even though the ACS logs say that the machine auth failed. If I wait 30-45 minutes and then reboot ACS properly says that the user auth failed due to Machine Access Restriction. I would expect this change to be immediate other than the syncing of the domain. I have read that there is a machine auth cache in ACS. Is there any way to clear this?

CreatePlease to create content