https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156151#M19977 <HTML><HEAD></HEAD><BODY><P>The MAR may be coming in to play because the machine didn't authenticate. The error you posted, I believe, is from when a USER account was presented for authentication without the machine having been previously authenticated.</P><P></P><P>Check the logs - do you see anything about failed auths for MACHINE accounts (or successful machine authentications in the successful auth logs)?</P></BODY></HTML> Fri, 14 Aug 2009 16:36:14 GMT Robert.N.Barrett_2 2009-08-14T16:36:14Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156143#M19966 <P>I am attempting to come up with a secure deployment scenario. I have strong control over image on mobile devices. I am testing utilizing PEAP with ACS. I am currently running legacy 3.3 ACS server but am about to upgrade. The dillemma I have is that I only want to allow machines that are domain members to authenticate. I have configured machine authentication Rules to prevent access for users that have not machine authenticated, however I have test devices, specifically Iphone and Itouch devices that can still consistently authenticate using only user domain credentials. Is there something I am missing in setting up the Machine Access restriction? If there is, is this possibly something that is fixed in 4.X ACS?</P> Sun, 04 Jul 2021 00:28:23 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156143#M19966 relsethagen 2021-07-04T00:28:23Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156144#M19967 <HTML><HEAD></HEAD><BODY><P>I'm curious. What rules are you referring to? ACS or the client rules?</P></BODY></HTML> Mon, 27 Apr 2009 17:37:03 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156144#M19967 rsumpter 2009-04-27T17:37:03Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156145#M19968 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>We have this running on ACS 4.2 and the only elements we need to enable on the ACS server are under the "Machine Authentication" section of "External Databases". </P><P></P><P>Tick "Enable PEAP machine authentication".</P><P>Tick "Enable Machine Access Restrictions".</P><P>Ensure that "Group map for successful user authentication without machine authentication:" is mapped to "No Access".</P><P>Ensure that no groups are exempt from this.</P><P></P><P>If your setup in ACS3.3 is the same but does not function, then all I can say is that it works OK in v4.2! I cannot comment on whether this is a bug in 3.3</P><P></P><P>Hope this helps,</P><P>Russell</P></BODY></HTML> Wed, 06 May 2009 15:26:35 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156145#M19968 r.bishop 2009-05-06T15:26:35Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156146#M19969 <HTML><HEAD></HEAD><BODY><P>Hi Russell</P><P></P><P>What is the config if any on the windows side to allow machine authentication?</P><P></P><P>As I am seeing the PEAP user auth pass</P><P>but the machine auth fail with the below log</P><P></P><P>host/wks1.lnd.uk Authen failed EAP-TLS or PEAP authentication failed during SSL handshake</P></BODY></HTML> Tue, 21 Jul 2009 13:50:45 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156146#M19969 colin.lynch 2009-07-21T13:50:45Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156147#M19971 <HTML><HEAD></HEAD><BODY><P>What 802.1x supplicant are you using on the Windows side? If you are using the one built-in to Windows XP (Wireless Zero Config), then you can simply check/tick the "Authenticate as computer when computer information is available" box on the authentication tab.</P></BODY></HTML> Wed, 22 Jul 2009 12:48:11 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156147#M19971 Robert.N.Barrett_2 2009-07-22T12:48:11Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156148#M19973 <HTML><HEAD></HEAD><BODY><P>Hi Russel</P><P>What config if any did you have to do on the windows server / AD side?</P><P>Regards</P><P>Colin</P></BODY></HTML> Tue, 28 Jul 2009 18:20:27 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156148#M19973 colin.lynch 2009-07-28T18:20:27Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156149#M19975 <HTML><HEAD></HEAD><BODY><P>Hi Robert</P><P>I am using the windows XP SP2 Supplicant</P><P>auth as machine is ticked and ACS sends machine auth to AD and fails.</P><P></P><P>PEAP user auth works fine.</P><P></P><P>Regards</P><P>Colin</P></BODY></HTML> Tue, 28 Jul 2009 18:29:04 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156149#M19975 colin.lynch 2009-07-28T18:29:04Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156150#M19976 <HTML><HEAD></HEAD><BODY><P>I am running into the same issue. I desire to lock out devices that are not part of the AD. We are using ACS4.2 appliances (which use the remote agents) and I beleive machine authentication works because it was enabled to allow logon scripts to run etc.</P><P>However - if I check the box to Enable Machine Access Restrictions and set it to No Access - no users can authenticate.</P><P></P><P>As mentioned earlier, the Itouch's and Iphones are prompted to continue without a certificate, and are able to get on by only providing the AD username and password.</P><P></P><P>This is the failed attempt log when MAR is enabled:</P><P>Windows External DB user access was denied due to a Machine Access Restriction</P></BODY></HTML> Thu, 06 Aug 2009 13:06:56 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156150#M19976 brian.kachel 2009-08-06T13:06:56Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156151#M19977 <HTML><HEAD></HEAD><BODY><P>The MAR may be coming in to play because the machine didn't authenticate. The error you posted, I believe, is from when a USER account was presented for authentication without the machine having been previously authenticated.</P><P></P><P>Check the logs - do you see anything about failed auths for MACHINE accounts (or successful machine authentications in the successful auth logs)?</P></BODY></HTML> Fri, 14 Aug 2009 16:36:14 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156151#M19977 Robert.N.Barrett_2 2009-08-14T16:36:14Z https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156152#M19978 <HTML><HEAD></HEAD><BODY><P>I am running into the same issue. </P><P></P><P>I can authenticate as a machine and use eap-tls for machine authentication. </P><P></P><P></P><P>I cannot however get a windows computer to combine active directory authentication with machine authentication.</P><P></P><P>I want a supplicant to send BOTH machine auth via eap-tls to satisfy the "MAR" then send the active directory username and password info to satisfy the peap.</P><P></P><P>**ps: I CAN get a user cert and active directory combined to authenticate but this is not as secure as checking the machine certificate.</P><P></P><P></P><P>I have tried and tried and can only do one or the other and not both. Anyone have input on how to do this? </P></BODY></HTML> Thu, 07 Oct 2010 20:58:05 GMT https://community.cisco.com/t5/wireless/peap-and-machine-authentication/m-p/1156152#M19978 iceteanolemon 2010-10-07T20:58:05Z