Re: ACS 5.2 PEAP-MSCHAPv2 Windows XP SP3 WIRED Workstation

s.kho · ‎11-18-2010

Hi,

I have PEAP-MSCHAPv2 working with user name, but can't seem to get "machine authentication only" working. I need to logon to the domain using username and password before it is 802.1x authenticated. I want 802.1x to authenticate using only machine credentials and not having to use username.

After I edited workstation xml profile to have include <authmode>machine</authmode> and then re-import it, 802.1x stops working. It is only after reversing it that 802.1x starts working again.

Is it possible to do peap-mschapv2 with wired workstation? I have seen lots of example using wireless, but none with wired, not sure if this is possible.

In ACS 5.2 I have check the box to allow machine authentication under the active directory container external database section.

Thanks

Tiago Antunes · ‎11-19-2010

Hi,

I would take a look at this doc:

https://supportforums.cisco.com/docs/DOC-13545.

It is a full config example of dot1x in switches using AD.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

horvaia · ‎11-19-2010

Hi,

Authenticate the computers against AD/Domain Cumputers group. ACS sees windows xp comuter names like this:

host/hostname.domainname.

Regards,

Andras

s.kho · ‎11-19-2010

Thanks,

In ACS 5.2 is there a section to type in the format of the XP host computer name?

I didn't configure this on the ACS 5.2.

Cheers

horvaia · ‎11-19-2010

I have not configured ACS 5.2 yet. Just ACS 5.1 I would do this way:

Under Access policies create new Network Access Authorization Policy

Create an Authorization Profile, there use

Dictionary:RADIUS-IETF

Attribure: User-Name

Operator: starts with

Value: host

And for this create a separate Authorization profile under Policy Elements.

Best Regards,

Andras