cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
6
Replies

Machine Authentication failure & Cisco ACS 5.3

g.peart
Beginner
Beginner

Hi All,

I am using the the ACS5.3  to provide user auth & machine auth for wireless users via EAP-TLS, the problem is

that even though machine authentication is successful, when I set a rule to allow user auth to succeed only if

machince authentication = True, user authentication fails. Changing back to machine authentication = False.and it all

works. The ACS is already a member of the domain and credentials used are that of Domain Admins,

Any ideas ?

TIA

6 Replies 6

Jatin Katyal
Cisco Employee
Cisco Employee

could you please share the screen shots from access policies where you created rules for machine and user authentication.

First you need to enable MAR in ad settings.

After that in access-polivies > authorization > you should have a first rule for machine authentication with domain computers as a external ad group selected with authorization policies set to PERMIT.

The second rule should set as Was machine authenticated = True with the external ad groups selected as doamain users witth authorization policies set to PERMIT.

Jatin Katyal


- Do rate helpful posts -

~Jatin

The rules are all set, here are the screenshots from my test bench in pdf file, it works fine if I ("was machine authenticated = False)

since you want that user should pass machine and user authentication before he should access to all the resources in network. Here is what you need to try:

Move the machine authentication rule before user authentication. As it comes first while performing MAR. In case you still sees some issues. Remove the compound condition from machine authentication rule and try to use AD1:ExternalGroups group condition where you can select the external group "domain computers".

Jatin Katyal
- Do rate helpful posts -

~Jatin

I've tried that, adding external group domain computers resulted in Machine authentication failure due to no rule match under authorization, so I restored the compound condition for the machine rule and machine auth worked again. The user auth still failing when machine authenticated = TRUE.

I attach the AAA logs

I have this working now, I deleted the machine cert and re-added machine to the domain.

Group policy pushed out new machine certificate, under Certification Authentication profile

enabled binary comparison and selected AD1 has identity.

Machine and user auth now works

that's great

~Jatin
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: