Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2284
Views
10
Helpful
17
Replies

PEAP machine authentication

tsmarcyes
Level 1
Level 1

‎04-01-2007 05:18 PM - edited ‎03-10-2019 03:04 PM

Im trying to use PEAP machine authentication from a winxpSP2 client to ACS 4.0 using WIRED 802.1x.

PEAP user authentication works just fine, the LAN connection comes up fine and i enter the user credentials and the connection comes up. However, when I restart the machine, I can't log in with an uncached user account because it saids it cant contact a domain controller. This makes me believe that computer authentication isnt working. Im not sure if you should see the computer authentication in ACS reports and activity and if so I'm not.

Here's a brief summary of my config.

Winxp

-checked PEAP authentication and "authentication as computer when computer information is available"

-did not check any advanced settings in the PEAP properties (validate server certificate, etc...)

ACS

-installed ACS self certificate

-configured "enable PEAP machine authent" under Machine Authentication in the External User Database for windows databases.

Not that you should have to with PEAP (non-TLS) but, I installed the ACS self certificate on the client.

I found this microsoft article but i dont know if pertains to machine authentication. I was wondering if someone could confirm this was my problem.

http://support.microsoft.com/kb/885453

Labels:
0 Helpful
17 Replies 17

magurwara
Level 1
Level 1
In response to tsmarcyes

‎04-05-2007 12:11 AM

1. Your Second Phase EAP Type in XP is set to Generic Token Card. Please brief me on what token system are you using.

1.a Also need ACS screenshot for Windows Database configuration and Token Card server configuration in ACS.

2. Under Windows EAP settings in ACS, I would leave Machine Access Restrictions unchecked until everything is working.

3. XP registry settings look ok.

4. You are not using XP's native client? What are you using?

0 Helpful

tsmarcyes
Level 1
Level 1
In response to magurwara

‎04-05-2007 04:48 AM

1. In the second phase of the EAP type, you can't set it on anything else other than GTC. However, if you click on the advanced properties of GTC, it saids either use static password 2000, XP, etc or use a token, and you specify the token. So, I'm not quite sure about that, however I have another client whose NIC actually looks a little bit different and you can specify PEAP MSCHAP-2 and I still have the same problem.

2. I read somewhere that supposedly if you wanted to do machine auth and user, you needed this. Highly skepitical, but I've tried both ways, on or off.

4. Not sure on your question, what do you mean I'm not using XP's native client? I havent changed anything on the XP machine.

0 Helpful

magurwara
Level 1
Level 1
In response to tsmarcyes

‎04-10-2007 05:16 PM

1./4. Windows XP (SP2) does not support EAP GTC protocol so the presence of that option implies you have something else installed as well.

2. Machine access restrictions are used if you want to restrict/differentiate users who authenticate successfully but their machines do not authenticate successfully. Otherwise you can do machine and user authentications independantly of this setting.

Have you added the command "aaa authorization network default group radius" to your router configuration?

Also, is your ACS actually listning on ports 1812 and 1813? By default when you don't specify a port in the radius-server command, it picks up port 1645 and 1646.

I think you mentioned this earlier, but does anything show up on the router when you use the "debug radius" command on the router?

Customers Also Viewed These Support Documents