https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601836#M283035 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #800000;">Looks like you have machine authentication enabled. In case of wireless ACS can get the machine names from the authentication request. With this restriction/policy set in the Active Directory to apply the user login restriction then ACS will have to provide a machine/host name for every request that it send to Active Directory. As already established its not possible for ACS to know the real machine name of the user authentication, ACS sends a default machine name its own name with each request to AD. On the AD we create a machine account by ACS name and then allow all the users to be able to log in to this machine. This way ACS is allowed to authenticate every one.</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">So please see add the ACS as a computer account on the AD with same hostname and see if thats help.</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">Rgds,</SPAN></P><P><SPAN style="color: #800000;">Jatin</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">Do rate helpful posts-</SPAN></P></BODY></HTML> Fri, 21 Jan 2011 15:48:53 GMT Jatin Katyal 2011-01-21T15:48:53Z https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601835#M282981 <P>Greetings,</P><P></P><P>We recently migrated from Windows IAS to Cisco ACS 5.2.0.26 for our wireless authentication and use PEAP MSCHAPv2 hitting AD. Everything seems to be working correctly except when a user account has a restriction on which machines they are allowed to log into, at which time an ACS log entry shows as follows,</P><P></P><P>24441 Account not permitted to log on using the current workstation</P><P></P><P>This had been functioning correctly when we were using the IAS server and I'm thinking that ACS just isn't passing the necessary attributes at this time. Does any know how what additional configuration may be needed in ACS to support this configuration?</P><P></P><P>Cheers,</P><P></P><P>Rob</P> Mon, 11 Mar 2019 00:44:33 GMT https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601835#M282981 robertlwalk 2019-03-11T00:44:33Z https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601836#M283035 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #800000;">Looks like you have machine authentication enabled. In case of wireless ACS can get the machine names from the authentication request. With this restriction/policy set in the Active Directory to apply the user login restriction then ACS will have to provide a machine/host name for every request that it send to Active Directory. As already established its not possible for ACS to know the real machine name of the user authentication, ACS sends a default machine name its own name with each request to AD. On the AD we create a machine account by ACS name and then allow all the users to be able to log in to this machine. This way ACS is allowed to authenticate every one.</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">So please see add the ACS as a computer account on the AD with same hostname and see if thats help.</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">Rgds,</SPAN></P><P><SPAN style="color: #800000;">Jatin</SPAN></P><P><SPAN style="color: #800000;"><BR /></SPAN></P><P><SPAN style="color: #800000;">Do rate helpful posts-</SPAN></P></BODY></HTML> Fri, 21 Jan 2011 15:48:53 GMT https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601836#M283035 Jatin Katyal 2011-01-21T15:48:53Z https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601837#M283073 <HTML><HEAD></HEAD><BODY><P>That was the issue and adding the ACS computer account worked. </P><P></P><P>Thank you Jatin!</P><P></P><P>Rob</P></BODY></HTML> Wed, 26 Jan 2011 17:02:04 GMT https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601837#M283073 robertlwalk 2011-01-26T17:02:04Z https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601838#M283143 <HTML><HEAD></HEAD><BODY><P>Rob,</P><P></P><P>Glad, I could help you<SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN>.</P><P><BR />Rgds</P><P>Jatin</P></BODY></HTML> Wed, 26 Jan 2011 17:09:12 GMT https://community.cisco.com/t5/network-access-control/acs-wireless-authentication-failure/m-p/1601838#M283143 Jatin Katyal 2011-01-26T17:09:12Z