05-16-2013 10:12 AM - edited 03-10-2019 08:26 PM
Hi All,
I am using the the ACS5.3 to provide user auth & machine auth for wireless users via EAP-TLS, the problem is
that even though machine authentication is successful, when I set a rule to allow user auth to succeed only if
machince authentication = True, user authentication fails. Changing back to machine authentication = False.and it all
works. The ACS is already a member of the domain and credentials used are that of Domain Admins,
Any ideas ?
TIA
05-16-2013 10:44 AM
could you please share the screen shots from access policies where you created rules for machine and user authentication.
First you need to enable MAR in ad settings.
After that in access-polivies > authorization > you should have a first rule for machine authentication with domain computers as a external ad group selected with authorization policies set to PERMIT.
The second rule should set as Was machine authenticated = True with the external ad groups selected as doamain users witth authorization policies set to PERMIT.
Jatin Katyal
- Do rate helpful posts -
05-16-2013 02:43 PM
05-16-2013 03:52 PM
since you want that user should pass machine and user authentication before he should access to all the resources in network. Here is what you need to try:
Move the machine authentication rule before user authentication. As it comes first while performing MAR. In case you still sees some issues. Remove the compound condition from machine authentication rule and try to use AD1:ExternalGroups group condition where you can select the external group "domain computers".
Jatin Katyal
- Do rate helpful posts -
05-16-2013 04:54 PM
I've tried that, adding external group domain computers resulted in Machine authentication failure due to no rule match under authorization, so I restored the compound condition for the machine rule and machine auth worked again. The user auth still failing when machine authenticated = TRUE.
I attach the AAA logs
05-16-2013 06:31 PM
I have this working now, I deleted the machine cert and re-added machine to the domain.
Group policy pushed out new machine certificate, under Certification Authentication profile
enabled binary comparison and selected AD1 has identity.
Machine and user auth now works
05-17-2013 01:58 AM
that's great
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide