Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Wireless Machine Authentication Acs 5.2 No logon Server errors on Client

Greetings,

We have a huge problem going on. Every day we see about 10-15 clients unable to logon to our network. They receice a "no logon server available" when trying to logon. We are a school distirct and have large amounts of laptops that are turned on and off  randomly each day. We can "fix" the issue by hardwiring the lapotp, log in, restart.and they can then log on to the wireless.  Laptops will work for several weeks as excpeted. We are doing machine authentication to allow users without caches credetials to logon.

Setup -

Win7 clients. Windows Wireless supplicant.

2 WLC 5508 controllers

ACS 5.2

W2K8 R2 Domain

WPA2 Enterprise

AES

PEAP MSCHAPv2

Machine Authentication and User Authentication

All client wifi policies pusshed out via Group Policy

On the MS side: We have tried disabling computer passwords through group policy on all wireless clients.

In the ACS logs we see alot of machine accounts with EAP session time outs and also Not found in internal database.

Any help is greatly appreciated.

Thank you.

  • Security and Network Management
3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Wireless Machine Authentication Acs 5.2 No logon Server errors o

when the PC boots up it authenticates through the RADIUS server with AD.

the machine and the RADIUS server negotiate the needed key materials to esablish

the secure connection.

If you have enabled MAR ,  the user should enter the user credentials to be able to fully operate.

The ACS caches the machine MAC address for a certain period of time. If it happened that the user disconnected from wireless while the machine is powered up. If he/she was disconnected after that till the caching timer expire on the ACS, the user wont be able to connect even if correct credentials provided and the reason because the ACS just expired the machine mac and the user is logging from unauthenticated machine. So the machine authentication should be triggerred again. The only way to do is to reboot the machine.

So try to increas the timer :

Users and Identity Stores > External Identity Stores > Active Directory

Enable Machine Access Restrictions                                                      

Aging time (hours):

Hall of Fame Super Silver

Re: Wireless Machine Authentication Acs 5.2 No logon Server erro

What are you doing? Machine authentication or user authentication. You only can do one or the other... Best practice. Make sure your policy is also only setup for one or the other. On your windows machines, if your doing machine auth, you need to setup the client for computer only. If user is setup, that will use user credentials. Windows machines only send the machine credential when rebooted.

Sent from Cisco Technical Support iPad App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
Hall of Fame Super Silver

Wireless Machine Authentication Acs 5.2 No logon Server errors o

You just need to understand that Microsoft only sends the machine credentials once when the device boots up and then its user authentication after.  That being said, its not both, so if the machine fails, then the user still can access the network with their credentials.  You can use MARS on ACS, but that's not even suggested by Cisco and is what I say a workaround.  If your machines are all domain computers then use machine authentication.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
6 REPLIES
Cisco Employee

Wireless Machine Authentication Acs 5.2 No logon Server errors o

when the PC boots up it authenticates through the RADIUS server with AD.

the machine and the RADIUS server negotiate the needed key materials to esablish

the secure connection.

If you have enabled MAR ,  the user should enter the user credentials to be able to fully operate.

The ACS caches the machine MAC address for a certain period of time. If it happened that the user disconnected from wireless while the machine is powered up. If he/she was disconnected after that till the caching timer expire on the ACS, the user wont be able to connect even if correct credentials provided and the reason because the ACS just expired the machine mac and the user is logging from unauthenticated machine. So the machine authentication should be triggerred again. The only way to do is to reboot the machine.

So try to increas the timer :

Users and Identity Stores > External Identity Stores > Active Directory

Enable Machine Access Restrictions                                                      

Aging time (hours):

New Member

Wireless Machine Authentication Acs 5.2 No logon Server errors o

thanks for the response!

If the aging time is not set, is there a default value? Currently we do not have aging time set?

Even after the machine is rebooted and you expect it to reauthenticate the machine ends up getting no logon servers available.

I ran a debug client on our controller I can see the client connecting to the AP and the controller, but it's rejected by the ACS.

Hall of Fame Super Silver

Re: Wireless Machine Authentication Acs 5.2 No logon Server erro

What are you doing? Machine authentication or user authentication. You only can do one or the other... Best practice. Make sure your policy is also only setup for one or the other. On your windows machines, if your doing machine auth, you need to setup the client for computer only. If user is setup, that will use user credentials. Windows machines only send the machine credential when rebooted.

Sent from Cisco Technical Support iPad App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Wireless Machine Authentication Acs 5.2 No logon Server errors o

We actually have both enabled on the ACS.  We want domain machines to authenticate by machine so new users can logon to them. We also have web authentication which allows users to bring their own device and log in with their domain user name and password.

Our wirless policy is set to user or machine authentication

Should we change these policies. Is there away we can accomplish what we want to do?

Hall of Fame Super Silver

Wireless Machine Authentication Acs 5.2 No logon Server errors o

You just need to understand that Microsoft only sends the machine credentials once when the device boots up and then its user authentication after.  That being said, its not both, so if the machine fails, then the user still can access the network with their credentials.  You can use MARS on ACS, but that's not even suggested by Cisco and is what I say a workaround.  If your machines are all domain computers then use machine authentication.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Wireless Machine Authentication Acs 5.2 No logon Server errors o

Thanks for all the replies. From the replies I did tweak some settings on the ACS, but it turns out it wasn't an ACS issue.

Figured out it was a Microsoft issue. Wirless settings are applied through group policy. The machines were losing their group policy wireless settings. Couldn't connect correctly to the network. Opened a ticket with MS to figure what was going on. To work around the issue we added a local wireless policy to make sure the machines connect corretly regardless of group policy settings. Once they connect with the local policy, group policy is then applied and our additional wireless settings are applied.

1541
Views
0
Helpful
6
Replies
This widget could not be displayed.