Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1483
Views
0
Helpful
4
Replies

ACS 5.3 MAR Timeout with Windows XP

Go to solution
chris.mccormick
Level 1
Level 1

‎09-10-2012 02:52 PM - edited ‎03-10-2019 07:31 PM

All, here is my current setup:  Windows XP machines authenticating wireless using 802.1X to a Cisco ACS 5.3 that redirects the request to Microsoft Active Directory.  All the statements that I make below are what I have gathered from reading on forums, some of them might be incorrect.

In the ACS Under “External Identity Stores” and  “Active Directory”, there is a check box called “Enable Machine Access Restrictions” if it is checked and  the Aging time is set to 8 hours and a Windows XP machine authenticates using  it’s Domain credentials it will gain access to the network but if that computer  is not rebooted after the 8 hours is up, Windows XP will not send it machine  credentials again, it will only send the user/pass of the user and will loose  access to the network.  The problem we have is that most of the users do not  shutdown their computers when they go home, they hibernate the computers thus  when they come back to the school the 8 hours aging time on the ACS has  expired.  The ACS expects to see the Windows XP machine send it’s domain  credentials again but from every forum I have read on, Windows XP will not send  it again until it get rebooted (FYI, Windows 7 will send the proper info, thus  they work just fine).  In the mean time I have changed the aging time to 8760  hours but this should only be temporary because it is a security risk to have  the aging time set so high.  Moving forward what are my options to make this  work properly?

-Is there a way to fix  Windows XP?

-Is there a recommendation on how to bypass this issue but still give us decent  security?

-Is setting the aging time so high, a non security issue?

-I guess worst case  scenario, the customer can try to educate all the students and staff to reboot  their machines every morning?

Thoughts ideas?

Thanks,

CM


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-10-2012 03:45 PM

Chris,

Hi your issue seems to be one that is common when enforcing MAR on XP clients. The best solution for you is to use anyconnect NAM as your supplicant. It is free and unlicensed if you have Cisco product tied to you ccoid. Which in this case will be ACS. You can use the NAM profile editor to set the authenticating network for (peap or tls) and choose it to perform computer and machine authentication. From my experience working with NAM is that it will send the computer authenticate and user authentication information over when associating to the SSID.

Also there is a new feature in Anyconnect NAM called Eap-chaining, you can set the order on if you prefer computer authentication followed by user authentication, this is however supported by ISE 1.1.1 (MR), however ACS is due for a version update soon and I have a feeling that this may also be a feature added to the ACS line, but I can't confirm for sure.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-10-2012 03:45 PM

Chris,

Hi your issue seems to be one that is common when enforcing MAR on XP clients. The best solution for you is to use anyconnect NAM as your supplicant. It is free and unlicensed if you have Cisco product tied to you ccoid. Which in this case will be ACS. You can use the NAM profile editor to set the authenticating network for (peap or tls) and choose it to perform computer and machine authentication. From my experience working with NAM is that it will send the computer authenticate and user authentication information over when associating to the SSID.

Also there is a new feature in Anyconnect NAM called Eap-chaining, you can set the order on if you prefer computer authentication followed by user authentication, this is however supported by ISE 1.1.1 (MR), however ACS is due for a version update soon and I have a feeling that this may also be a feature added to the ACS line, but I can't confirm for sure.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
chris.mccormick
Level 1
Level 1
In response to Tarik Admani

‎09-12-2012 01:44 PM

Thank you Tarik, I am working with my customer next week to test the anyconnect NAM, once I get the results I will reply back..

Thanks,

CM

0 Helpful

Go to solution
vincentbelliard
Level 1
Level 1
In response to chris.mccormick

‎10-25-2012 01:44 AM

Chris,

I have the exact same problem on my network. I use AnyConnect on my XP computer but still the problem remains.

Did you find a solution to this problem?

Thanks,

Simon

0 Helpful

Go to solution
chris.mccormick
Level 1
Level 1
In response to vincentbelliard

‎10-25-2012 07:17 AM

Simon, I was able to get the XP computer working by setting up a profile to authenticte "Machine Auth" only, when I tried to authenticate both machine and user it fails.  At this point I am sticking with machine only.

Thanks,

CM

0 Helpful
Customers Also Viewed These Support Documents