cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1688
Views
5
Helpful
3
Replies

ACS 4.2 Problem

k.mehnati
Level 1
Level 1

I am configured Cisco ACS 4.2 to authenticate wired network base on Active Directory windows 2003.

I am used PEAP Authentication on the network and everything was OK but I have a problem : because there are restriction on User Account about log on to just User's computer (in Active Directory User account Setting log on to user limit to a specific computer's ) the ACS can't authenticate Users and generate error log say that workstation not allowed. I was configured enable workstation restriction too in ACS but problem still existed.

There are ACS logs in the attachment.

3 Replies 3

JamesLuther
Level 3
Level 3

Hi,

By default everyone who's authenticated on the ACS is authenticated against a workstation object called CISCO in AD.

So you need to create the workstation called CISCO and allow users to logon to this object.

Regards

How do we creat this obkject CISCO machice name . As mention is dhould be default it does no have this issue on ACS4.1

please advice, thanks

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

It looks you have 3 problems here...translated into the 3 failed reasons you are seeing in the Failed Attempts:

1 - SH-RASTEGAR\26320 -> Windows workstation not allowed
2 - SH-RASTEGAR\26320 -> Windows External DB user access was denied due to a Machine Access Restriction

3 - host/4500-028.sh-rastegar.com -> Machine authentication is not permitted

Explanation:

-----------------

1 - This error means that the user is not allowed to login from the machine he is trying to login from. This is a setting of the AD and if you want to allow the user to login from this machine you have to change this security setting on the AD.

2 - This means that you have MAR (Machine Access Restriction) configured. And this means that a user can only login from a machine that has already passed machine authentication. If the machine did not authenticate yet successfully, you will get this message.

3 - This means that the machine "host/4500-028.sh-rastegar.com" tried to authenticate, however machine authentication is disabled on ACS. To enable it you need to check the matching box:

Enable PEAP machine authentication.
Enable EAP-TLS machine authentication.

This can be found under ACS GUI -> External User Database -> Database Configuration -> Windows Database -> Configure.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: