01-21-2011 07:08 AM - edited 03-10-2019 05:44 PM
Greetings,
We recently migrated from Windows IAS to Cisco ACS 5.2.0.26 for our wireless authentication and use PEAP MSCHAPv2 hitting AD. Everything seems to be working correctly except when a user account has a restriction on which machines they are allowed to log into, at which time an ACS log entry shows as follows,
24441 Account not permitted to log on using the current workstation
This had been functioning correctly when we were using the IAS server and I'm thinking that ACS just isn't passing the necessary attributes at this time. Does any know how what additional configuration may be needed in ACS to support this configuration?
Cheers,
Rob
Solved! Go to Solution.
01-21-2011 07:48 AM
Looks like you have machine authentication enabled. In case of wireless ACS can get the machine names from the authentication request. With this restriction/policy set in the Active Directory to apply the user login restriction then ACS will have to provide a machine/host name for every request that it send to Active Directory. As already established its not possible for ACS to know the real machine name of the user authentication, ACS sends a default machine name its own name with each request to AD. On the AD we create a machine account by ACS name and then allow all the users to be able to log in to this machine. This way ACS is allowed to authenticate every one.
So please see add the ACS as a computer account on the AD with same hostname and see if thats help.
Rgds,
Jatin
Do rate helpful posts-
01-21-2011 07:48 AM
Looks like you have machine authentication enabled. In case of wireless ACS can get the machine names from the authentication request. With this restriction/policy set in the Active Directory to apply the user login restriction then ACS will have to provide a machine/host name for every request that it send to Active Directory. As already established its not possible for ACS to know the real machine name of the user authentication, ACS sends a default machine name its own name with each request to AD. On the AD we create a machine account by ACS name and then allow all the users to be able to log in to this machine. This way ACS is allowed to authenticate every one.
So please see add the ACS as a computer account on the AD with same hostname and see if thats help.
Rgds,
Jatin
Do rate helpful posts-
01-26-2011 09:02 AM
That was the issue and adding the ACS computer account worked.
Thank you Jatin!
Rob
01-26-2011 09:09 AM
Rob,
Glad, I could help you.
Rgds
Jatin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide