topic Re: PEAP Machine Authentication fails in Wireless

PEAP Machine Authentication fails

colin.lynch — Sun, 04 Jul 2021 00:50:45 GMT

Hi All

I am using PEAP with the following setup

WLC 4404

ACS Solutions Engine 4.01 (self signed cert)

Windows AD database.

PEAP user authentication works fine.

The issue is, I need to only allow machines which are in AD as such I have configued Machine authentication.

However this is failing with the below log.

host/wks1.lnd.uk Authen failed EAP-TLS or PEAP authentication failed during SSL handshake

I have configured the ACS for PEAP machine auth in all required places and on the client. I have read lots of info saying I need to configure AD to allow Machine Authentications, and cert auto enrollment etc.., is this the case and if so whats the easiest way to do it?

Thanks in advance

Colin

Re: PEAP Machine Authentication fails

colin.lynch — Tue, 21 Jul 2009 19:57:27 GMT

May have made some progress, as far as I can tell as long as the ACS cert is copied to the client and put in the Local Computer store. That I believe should be enough.

I think when I installed the ACS cert on the client I went with the default which is NOT the Local Computer store.

(This is not the same as installing an idependant cert on the client, but rather just the Local machine, trusting the ACS)

Thats my thoughts anyway, I'll give it a try tomorrow.

Re: PEAP Machine Authentication fails

colin.lynch — Wed, 22 Jul 2009 08:21:36 GMT

Logged into the laptop as a local admin and imported the ACS self signed cert in to: Physical Store: Trusted Root Cert Auths>Local Computer.

This had the effect that my Machine Auth now no longer fails with the SSL error but now fails with "External DB user invalid or bad password"

Unknown user policy is working as Domain user authentication is still working fine.

Anyone got any ideas?

Re: PEAP Machine Authentication fails

Roman Rodichev — Wed, 22 Jul 2009 12:49:18 GMT

What username do you see in that "External DB User invalid" error in Failed Attempts log? Maybe it's "CN="?

Re: PEAP Machine Authentication fails

colin.lynch — Tue, 28 Jul 2009 10:31:08 GMT

username in failure log is host/FQDM

ie host/laptop.x.x

Re: PEAP Machine Authentication fails

pandapritam — Tue, 04 Aug 2009 09:35:25 GMT

Hi colin,

will u able to solve the problem if yes then can you share the solution among us

Re: PEAP Machine Authentication fails

colin.lynch — Tue, 04 Aug 2009 09:43:00 GMT

Hi Yes

Did solve the problem, in my case I just loaded the Agent on another server and all Machine Auth is now working perfectly and all login scripts etc run ok. So it must have been an issue between the Agent and the server which happened to be a DC. Another company had tried getting this working before and failed so I suspect they messed around with the Agent privilages on the DC.

I have drawn up a diagram showing all PEAP components end to end and what needs to be configured and how. If you want a copy let me know ur E-mail address.

Regards

Colin

Re: PEAP Machine Authentication fails

pandapritam — Wed, 05 Aug 2009 03:57:09 GMT

hi colin,

thanks 4 the reply. i desperately need ur help.

MY Emailid :pritam.panda1@wipro.com

Thanks again...

Re: PEAP Machine Authentication fails

Nuttea Jirattivongvibul — Wed, 05 Aug 2009 04:55:57 GMT

Hi,

I'm experience quite same problem with machine authen failed with host/ in another Domain Forest. Anyway could you also send me your diagram and how to setup agent.

Thank you.

nuttea@mfec.co.th

Re: PEAP Machine Authentication fails

kamlesh.patel — Fri, 21 Aug 2009 18:24:33 GMT

Hi Colin,

Please send me @

k.patel@tatacommunications.com

Thx

Re: PEAP Machine Authentication fails

jimcantire — Mon, 31 Aug 2009 04:17:29 GMT

Hi Colin,

Please send me a copy @:

jimhuangca@yahoo.ca

Thanks

Re: PEAP Machine Authentication fails

spirotsares — Tue, 15 Sep 2009 21:33:19 GMT

I'm in the process of deploying the same setup. Would I be able to get a copy of your diagram @

mrspiro@gmail.com

Thanks

Re: PEAP Machine Authentication fails

patgeo1984 — Tue, 29 Sep 2009 23:04:59 GMT

I'm in the process of implementing the same site, and I have presented a problem similar to yours I be able to obtain a copy of your diagram

pgonzalez@coasin.cl

Thank you very much

Re: PEAP Machine Authentication fails

edunn — Wed, 21 Oct 2009 12:43:43 GMT

Can you please send me a copy of that diagram to ernandcorb@msn.com. Thanks

Re: PEAP Machine Authentication fails

fmirza007 — Fri, 23 Oct 2009 13:40:22 GMT

I am also trying to implement the same solution, would I be able to get a copy as well....farhan.mirza@gtsi.com..

Thanks

Re: PEAP Machine Authentication fails

Robert.N.Barrett_2 — Sat, 24 Oct 2009 17:51:37 GMT

removed - wrong thread...sorry

Re: PEAP Machine Authentication fails

Chuck Dillon — Wed, 04 Nov 2009 03:11:03 GMT

Hi Colin, Could you please send me a copy of your diagram to charlespdillon@gmail.com

Thanks

Re: PEAP Machine Authentication fails

jason_majie — Tue, 10 Nov 2009 02:13:53 GMT

Hi Colin, Could you also send me the solution? thanks a lot.

my email is jason.majie@gmail.com

Re: PEAP Machine Authentication fails

rmengert1 — Thu, 03 Dec 2009 21:33:17 GMT

Colin,

If you're still checking this board, I would appreciate a copy of this diagram as well.

ybaglakolov@gmail.com

Thanks