https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837965#M19596 <HTML><HEAD></HEAD><BODY><P>Correct... That's the issue when you have two rules instead on just having one. If you remove the rule for machine and change the rule for user and take out was machine authenticated, then that's how you authenticate user only.</P><P></P><P>Thanks,</P><P></P><P>Scott Fella</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Wed, 18 Jan 2012 13:44:06 GMT Scott Fella 2012-01-18T13:44:06Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837917#M19548 <P>Hi ;</P><P></P><P>&nbsp;&nbsp; I tried PEAP machine and user authentication together with acs 5.3.&nbsp; But if we are selecting only computer authentication in the client side , we are able to connect without even prompting for the username and password.</P><P></P><P></P><P>Is there any way to enforce both authentications.</P><P></P><P>Best Regards</P><P>Sreejith R</P> Sun, 04 Jul 2021 04:19:19 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837917#M19548 sreejith_r 2021-07-04T04:19:19Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837918#M19549 <HTML><HEAD></HEAD><BODY><P>Are you using windows 7... if so, you can, but I know that windows xp only can do user.&nbsp; Also this depends on how you setup your policy in ACS 5.3.&nbsp; Post some screen shots so we can take a look.</P></BODY></HTML> Tue, 03 Jan 2012 14:22:39 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837918#M19549 Scott Fella 2012-01-03T14:22:39Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837919#M19550 <HTML><HEAD></HEAD><BODY><P>Can you also post screen shots of the failed attempts using the username also. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Tue, 03 Jan 2012 14:26:04 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837919#M19550 Scott Fella 2012-01-03T14:26:04Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837920#M19551 <HTML><HEAD></HEAD><BODY><P> I am trying with windows 7. There are three options</P><P></P><P>1. User or Compuer Authentication: Its working as expected. I can see the both successful authentication in the Logs.</P><P></P><P>2. User Authentication : Its working as expected. Because of the was machine authenticated attribute the authentications fails.</P><P></P><P>3. Computer Authentication: Once the computer passed the authentication the client successfully connecting to wireless without the username and password.</P><P></P><P>i did the following steps</P><P></P><P>1. Enable machine authentication</P><P>2. Enabled MAR with 1 hour</P><P>3. Added the computer and user grups in the ACS</P><P>4. Added the protocol, External groups &amp; Was machine authenticated in the authorization list.</P><P></P><P></P><P>Please let me know if any changes has to be done or is this the way the machine authentication works.</P><P></P><P></P><P>Best Regards</P><P>Sreejith R</P></BODY></HTML> Tue, 03 Jan 2012 14:29:44 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837920#M19551 sreejith_r 2012-01-03T14:29:44Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837921#M19552 <HTML><HEAD></HEAD><BODY><P>On the client side you need to choose:</P><P></P><P>1. User or Compuer Authentication</P><P></P><P>Now can you post a screen shot of your failed attemps in ACS.</P></BODY></HTML> Tue, 03 Jan 2012 14:33:43 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837921#M19552 Scott Fella 2012-01-03T14:33:43Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837922#M19553 <HTML><HEAD></HEAD><BODY><P>This is a customer requirement. We cannot force the client to use only user or computer authentication.&nbsp; The client may try with usre authentication, Computer autnetication &amp; User or compuer authentication.</P><P></P><P>We need to configure ACS in such a way that only the user or computer authentication will work out.</P><P></P><P>Sorry, i dont have the screenshots with me.</P></BODY></HTML> Tue, 03 Jan 2012 14:36:50 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837922#M19553 sreejith_r 2012-01-03T14:36:50Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837923#M19554 <HTML><HEAD></HEAD><BODY><P>I know it works, because I have done that in the past. It must be hwo the policy is configured on ACS.</P></BODY></HTML> Tue, 03 Jan 2012 14:38:42 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837923#M19554 Scott Fella 2012-01-03T14:38:42Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837924#M19555 <HTML><HEAD></HEAD><BODY><P>i didnt see any option in the policy. Could you please share the information on how we need to configure the policy to enforce both the authentications.</P></BODY></HTML> Tue, 03 Jan 2012 14:41:24 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837924#M19555 sreejith_r 2012-01-03T14:41:24Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837925#M19556 <HTML><HEAD></HEAD><BODY><P>I will try to dig something up, but being able to see the failed logs helps since there are various ways to setup policies.</P></BODY></HTML> Tue, 03 Jan 2012 14:43:10 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837925#M19556 Scott Fella 2012-01-03T14:43:10Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837926#M19557 <HTML><HEAD></HEAD><BODY><P>I will also try to get the logs by tomorrow. </P><P></P><P></P><P>But if you are selecting the computer authentication in the client side you will not see any failed logs in the ACS.</P><P></P><P>If you are selecting the user authentication in the client side, in the failed logs you will see that the machine was not authenticated.</P><P></P><P>If you are selecting the user or computer authentication in the client side, then also you will not see any failed logs.</P></BODY></HTML> Tue, 03 Jan 2012 14:49:36 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837926#M19557 sreejith_r 2012-01-03T14:49:36Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837927#M19558 <HTML><HEAD></HEAD><BODY><P>But if you are selecting the computer authentication in the client side you will not see any failed logs in the ACS.</P><P></P><P><STRONG>That is because the policy configured in ACS right now is only working for machine authentication</STRONG></P><P></P><P>If you are selecting the user authentication in the client side, in the failed logs you will see that the machine was not authenticated.</P><P></P><P><STRONG>This is because the user authentication part is failing or not configured correctly.</STRONG></P><P></P><P>If you are selecting the user or computer authentication in the client side, then also you will not see any failed logs.</P><P></P><P><STRONG>This is because of the "OR" on the client side.&nbsp; You specify to send both user and machine, but your policy is only looking for machine not user.</STRONG></P></BODY></HTML> Tue, 03 Jan 2012 14:55:08 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837927#M19558 Scott Fella 2012-01-03T14:55:08Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837928#M19559 <HTML><HEAD></HEAD><BODY><P>No the user authentication is failing beacuse of the was machine authenticated attribute in the policy. If the client is selecting only the user authentication acs will block the access beacuse of the was machine authenticated attribute. If are removing that attribute it will work for user authentication as well.</P><P></P><P></P><P>If we are selecting user or computer authentication , both authentication works. We can see the logs in the acs that both user and machine authentication passed.</P><P></P><P>What is happening is that&nbsp; since machine authentication happens prior to the user authentication, once the machineauthentication passed acs grants access to the clients without checking any other rules. How we can override this.</P></BODY></HTML> Tue, 03 Jan 2012 15:06:59 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837928#M19559 sreejith_r 2012-01-03T15:06:59Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837929#M19560 <HTML><HEAD></HEAD><BODY><P>Have you tried using AD1:ExternalGroups: "contains all" in your authorization policy and listed specfic AD group and included the computer group.</P></BODY></HTML> Tue, 03 Jan 2012 15:13:55 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837929#M19560 Scott Fella 2012-01-03T15:13:55Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837930#M19561 <HTML><HEAD></HEAD><BODY><P>Okay.... I decided to lab this up and here is how to set this up.&nbsp; After you have set this up, make sure you reboot the client device (Windows 7) so that ACS knows that this device has authenticated using machine authentication.&nbsp; These policies are customizable, so here is the basic that you have to do.&nbsp; </P><P></P><P>Also note, when you first connect, you will see the machine and user being authenticated, then if you disconnect and reconnect, you will only see the username come through, because it is cached due to the Aging Time you will set in ACS.</P><P></P><P>Attached is a PDF so hopefully this helps.</P></BODY></HTML> Wed, 04 Jan 2012 03:23:56 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837930#M19561 Scott Fella 2012-01-04T03:23:56Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837931#M19562 <HTML><HEAD></HEAD><BODY><P>Let me know if the doc doesn't help.</P></BODY></HTML> Wed, 04 Jan 2012 22:46:09 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837931#M19562 Scott Fella 2012-01-04T22:46:09Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837932#M19563 <HTML><HEAD></HEAD><BODY><P> i will try with this document by today and will let you know about the status.</P></BODY></HTML> Thu, 05 Jan 2012 08:49:12 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837932#M19563 sreejith_r 2012-01-05T08:49:12Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837933#M19564 <HTML><HEAD></HEAD><BODY><P>Sounds good.</P><P></P><P>Thanks,</P><P></P><P>Scott Fella</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Thu, 05 Jan 2012 13:02:37 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837933#M19564 Scott Fella 2012-01-05T13:02:37Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837934#M19565 <HTML><HEAD></HEAD><BODY><P>Were you able to try it?</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Fri, 06 Jan 2012 12:01:21 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837934#M19565 Scott Fella 2012-01-06T12:01:21Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837935#M19566 <HTML><HEAD></HEAD><BODY><P>Any update if this worked for you?</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Wed, 11 Jan 2012 12:50:21 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837935#M19566 Scott Fella 2012-01-11T12:50:21Z https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837936#M19567 <HTML><HEAD></HEAD><BODY><P> Didn't get any update from the customer. Will update you once i get the feedback from the customer.</P></BODY></HTML> Wed, 11 Jan 2012 13:36:26 GMT https://community.cisco.com/t5/wireless/peap-user-machine-authentication/m-p/1837936#M19567 sreejith_r 2012-01-11T13:36:26Z