ACS5.4 Machine & User Authentication occasionally problem

Christos Stefaneskou · ‎02-03-2014

Hi,

I have an 802.1x implementiation for about 100 users now.

Clients must meet the following criteria: 1) PC joined to domain (machine auth.), 2) valid AD account (user auth.)

Occasionally some clients are unable to join the network,even if the authentication process starts from zero (with pc shut-down).

As a work around we shut down the pc and then client passes the authentication without problem.

We use ACS5.4 and 2960 switches.The problem appears on both Win7-XP machines.

From the logs i see that machine doesn't send it's Domain Machine name (host-xxx) so fallbacks to the next method.

Any thoughts?

Thanks,

Christos.

Naveen Kumar · ‎02-06-2014

If a computer fails machine authentication and the user has not successfully logged in to the domain by using the computer since the most recent user password change, the cached credentials on the computer will not match the new password. Instead, the cached credentials will match an older password of the user, provided that the user once successfully logged in to the domain from this computer.

Note

Microsoft PEAP clients may also initiate machine authentication whenever a user logs off. This feature prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user shuts down or restarts the computer rather than just logging off.