11-18-2010 10:17 PM - edited 02-21-2020 10:25 AM
Hi,
I have PEAP-MSCHAPv2 working with user name, but can't seem to get "machine authentication only" working. I need to logon to the domain using username and password before it is 802.1x authenticated. I want 802.1x to authenticate using only machine credentials and not having to use username.
After I edited workstation xml profile to have include <authmode>machine</authmode> and then re-import it, 802.1x stops working. It is only after reversing it that 802.1x starts working again.
Is it possible to do peap-mschapv2 with wired workstation? I have seen lots of example using wireless, but none with wired, not sure if this is possible.
In ACS 5.2 I have check the box to allow machine authentication under the active directory container external database section.
Thanks
11-19-2010 01:20 AM
Hi,
I would take a look at this doc:
https://supportforums.cisco.com/docs/DOC-13545.
It is a full config example of dot1x in switches using AD.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
11-19-2010 01:33 AM
Hi,
Authenticate the computers against AD/Domain Cumputers group. ACS sees windows xp comuter names like this:
host/hostname.domainname.
Regards,
Andras
11-19-2010 02:36 AM
Thanks,
In ACS 5.2 is there a section to type in the format of the XP host computer name?
I didn't configure this on the ACS 5.2.
Cheers
11-19-2010 03:17 AM
I have not configured ACS 5.2 yet. Just ACS 5.1 I would do this way:
Under Access policies create new Network Access Authorization Policy
Create an Authorization Profile, there use
Dictionary:RADIUS-IETF
Attribure: User-Name
Operator: starts with
Value: host
And for this create a separate Authorization profile under Policy Elements.
Best Regards,
Andras
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide