Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2297
Views
10
Helpful
3
Replies

ACS Wireless Authentication Failure

Go to solution
robertlwalk
Level 1
Level 1

‎01-21-2011 07:08 AM - edited ‎03-10-2019 05:44 PM

Greetings,

We recently migrated from Windows IAS to Cisco ACS 5.2.0.26 for our wireless authentication and use PEAP MSCHAPv2 hitting AD. Everything seems to be working correctly except when a user account has a restriction on which machines they are allowed to log into, at which time an ACS log entry shows as follows,

24441 Account not permitted to log on using the current workstation

This had been functioning correctly when we were using the IAS server and I'm thinking that ACS just isn't passing the necessary attributes at this time. Does any know how what additional configuration may be needed in ACS to support this configuration?

Cheers,

Rob

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-21-2011 07:48 AM

Looks like you have machine authentication enabled. In case of wireless ACS can get the machine names from the authentication request. With this restriction/policy set in the Active Directory to apply the user login restriction then ACS will have to provide a machine/host name for every request that it send to Active Directory. As already established its not possible for ACS to know the real machine name of the user authentication, ACS sends a default machine name its own name with each request to AD. On the AD we create a machine account by ACS name and then allow all the users to be able to log in to this machine. This way ACS is allowed to authenticate every one.


So please see add the ACS as a computer account on the AD with same hostname and see if thats help.



Rgds,

Jatin


Do rate helpful posts-

~Jatin

View solution in original post

3 Replies 3

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-21-2011 07:48 AM

Looks like you have machine authentication enabled. In case of wireless ACS can get the machine names from the authentication request. With this restriction/policy set in the Active Directory to apply the user login restriction then ACS will have to provide a machine/host name for every request that it send to Active Directory. As already established its not possible for ACS to know the real machine name of the user authentication, ACS sends a default machine name its own name with each request to AD. On the AD we create a machine account by ACS name and then allow all the users to be able to log in to this machine. This way ACS is allowed to authenticate every one.


So please see add the ACS as a computer account on the AD with same hostname and see if thats help.



Rgds,

Jatin


Do rate helpful posts-

~Jatin

Go to solution
robertlwalk
Level 1
Level 1
In response to Jatin Katyal

‎01-26-2011 09:02 AM

That was the issue and adding the ACS computer account worked.

Thank you Jatin!

Rob

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to robertlwalk

‎01-26-2011 09:09 AM

Rob,

Glad, I could help you.


Rgds

Jatin

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents