cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

977
Views
0
Helpful
4
Replies
chris.mccormick
Beginner

ACS 5.3 MAR Timeout with Windows XP

All, here is my current setup:  Windows XP machines authenticating wireless using 802.1X to a Cisco ACS 5.3 that redirects the request to Microsoft Active Directory.  All the statements that I make below are what I have gathered from reading on forums, some of them might be incorrect.

In the ACS Under “External Identity Stores” and  “Active Directory”, there is a check box called “Enable Machine Access Restrictions” if it is checked and  the Aging time is set to 8 hours and a Windows XP machine authenticates using  it’s Domain credentials it will gain access to the network but if that computer  is not rebooted after the 8 hours is up, Windows XP will not send it machine  credentials again, it will only send the user/pass of the user and will loose  access to the network.  The problem we have is that most of the users do not  shutdown their computers when they go home, they hibernate the computers thus  when they come back to the school the 8 hours aging time on the ACS has  expired.  The ACS expects to see the Windows XP machine send it’s domain  credentials again but from every forum I have read on, Windows XP will not send  it again until it get rebooted (FYI, Windows 7 will send the proper info, thus  they work just fine).  In the mean time I have changed the aging time to 8760  hours but this should only be temporary because it is a security risk to have  the aging time set so high.  Moving forward what are my options to make this  work properly?

-Is there a way to fix  Windows XP?

-Is there a recommendation on how to bypass this issue but still give us decent  security?

-Is setting the aging time so high, a non security issue?

-I guess worst case  scenario, the customer can try to educate all the students and staff to reboot  their machines every morning?

Thoughts ideas?

Thanks,

CM


1 ACCEPTED SOLUTION

Accepted Solutions
Tarik Admani
Advocate

Chris,

Hi your issue seems to be one that is common when enforcing MAR on XP clients. The best solution for you is to use anyconnect NAM as your supplicant. It is free and unlicensed if you have Cisco product tied to you ccoid. Which in this case will be ACS. You can use the NAM profile editor to set the authenticating network for (peap or tls) and choose it to perform computer and machine authentication. From my experience working with NAM is that it will send the computer authenticate and user authentication information over when associating to the SSID.

Also there is a new feature in Anyconnect NAM called Eap-chaining, you can set the order on if you prefer computer authentication followed by user authentication, this is however supported by ISE 1.1.1 (MR), however ACS is due for a version update soon and I have a feeling that this may also be a feature added to the ACS line, but I can't confirm for sure.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

4 REPLIES 4
Tarik Admani
Advocate

Chris,

Hi your issue seems to be one that is common when enforcing MAR on XP clients. The best solution for you is to use anyconnect NAM as your supplicant. It is free and unlicensed if you have Cisco product tied to you ccoid. Which in this case will be ACS. You can use the NAM profile editor to set the authenticating network for (peap or tls) and choose it to perform computer and machine authentication. From my experience working with NAM is that it will send the computer authenticate and user authentication information over when associating to the SSID.

Also there is a new feature in Anyconnect NAM called Eap-chaining, you can set the order on if you prefer computer authentication followed by user authentication, this is however supported by ISE 1.1.1 (MR), however ACS is due for a version update soon and I have a feeling that this may also be a feature added to the ACS line, but I can't confirm for sure.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Thank you Tarik, I am working with my customer next week to test the anyconnect NAM, once I get the results I will reply back..

Thanks,

CM

Chris,

I have the exact same problem on my network. I use AnyConnect on my XP computer but still the problem remains.

Did you find a solution to this problem?

Thanks,

Simon

Simon, I was able to get the XP computer working by setting up a profile to authenticte "Machine Auth" only, when I tried to authenticate both machine and user it fails.  At this point I am sticking with machine only.

Thanks,

CM

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel