09-03-2004 06:33 AM - edited 03-10-2019 01:47 PM
I have everything configured according to Cisco documentation, but I am getting two different errors in ACS's log.
For a user it says: External DB account Restriction
For a machine it says: EAP-TLS or PEAP authentication failed during SSL handshake
Does anyone have any idea what those mean? I can provide the 3550 debug logs as well if that will help.
09-03-2004 08:01 AM
Hi,
About machine authentication you need to have a valide certificate on your Radius server. If you use PEAP this certificate will be downloaded the first time that the client goes up. You should accept the server certificate. This will create the SSL channel.
About user could be that you didn't enable the Dial-in permission for the user in AD.
Bye
Stefano
09-07-2004 02:49 AM
I went through the same problem , even i have a certificate installed on the ACS and the workstation.
I uninstalled the certificate on the ACS and issued a new certificate and installed on both sides and it did work.
But i am seeing a delay after the mchines come up and get authenticated to the domain , it take so long to activate the switch port(sometimes 2 min).
even i have the two options enabled on the winXP 802.1x client
(1. Authenticate as computer when computer information is available
2.automatically use my windows logon name and password(and domain if any))
is there a way to make the authentication faster ?
09-21-2004 05:19 PM
I didn't understand your answer. I also face similar problem like you, do you have any info on this.
Thanks,
Siddu
When "Authentication using computer" ie. machine authentication is selected in
Windows XP (SP1 or SP2) client, authentication are
failing for EAP type - Protected EAP (PEAP).
The server log is showing " No password found in the
request,” indicating during challenge/response, XP
client is not sending password in its response.
Since authentication will be done during computer boot up, I am not getting how to store the machine
password, I assume machine will use admin password by
default.
I order to send admin password during machine
authentication, do I need to store admin credentials?
If that is the case where and how?
Other than this do I need to do any other setup at XP
client and AAA Server side?
Did any one face similar problem?
09-22-2004 10:26 AM
In order to run machine authentication, the machine just need be a member of the domain. When using PEAP, it uses the fully qualified machine name of the device as a username, and the local system account password (that it got when it was originally added to the domain).
Other than that, you don't need any additional config. Remember your dial-in properties for the machines themselves though if using IAS for RADIUS.
Hope this helps.
09-08-2004 06:53 AM
I'm not too sure how to read some of these dot1x log entries, but does anything in here stand out? It seems like it does authenticate the user, but then just wont authorize them. I do have dialin permissions checked for the machine and user, and I also have tried using a domain admininstrator, with no luck. Any ideas? Im clueless now.
I have Windows XP setup with PEAP (usuing Smart card or other certificate will not create any log entries in ACS). If I tell XP to not validate the server certificate the machine's 'failed attempts' stop coming up. Switch is working with RADIUS for login/enable right now.
(Attatched is log entries).
03-15-2005 09:40 PM
Is it possible to be automatically authenticated in a 802.1x IAS situation where the authentication method in place is EAP and MD5? Or must PEAP be used? Must an account be created in active directory for the machine name for this to occur?
Any information would be useful thanks.
03-16-2005 09:21 AM
This may help:
<http://download.microsoft.com/download/b/0/e/b0e2a363-0044-4327-8f17-020818f57234/Wired_depl.doc>
It's rather tough to set with MD5.
If you're running machine-auth, your only choices are TLS and PEAP though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide