Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
0
Helpful
3
Replies

ACS 5.1 EAP-PEAP Machine Authentication

Jay233
Level 1
Level 1

‎06-30-2011 01:20 PM - edited ‎07-03-2021 08:22 PM

ACS 5.1 EAP-PEAP Machine Authentication

All,

I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.

My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?

Has anyone come across this problem before? Is this problem ACS related or down to the Intel supplicant.

A big thank you in advance for any replays 

Labels:
0 Helpful
3 Replies 3

b.garczynski
Level 1
Level 1

‎07-01-2011 08:03 AM

Jason,

You stated that the XP supplicant works fine, does that include both user and machine authentication? If your ACS policy is configured to authenticate both users and machines ,and it works with the XP supplicant, I would say it is safe to assume the issue is in the Intel supplicant. In XP there is no way to force machine VS. user authentication directly through the gui, this would need to be done via a registry key change. I am not that familiar with the Intel client but it may have the ability to force machine/user authentication directly in the client. Typically with PEAP I would allow both machine and user accounts to authenticate in the ACS policy and leave the XP supplicant at the default authentication setting. Is there a specific need to use the Intel client?

Thanks,

0 Helpful

Jay233
Level 1
Level 1
In response to b.garczynski

‎07-05-2011 07:08 AM

b.garczynski

Thanks for the reply, yes I have a lot of laptops currently using the proset client. My question was when I use the windows client I see the machine address in acs but I don't see any thing when I use the Intel proset?

Is this because the Intel client is booting after the windows gina? Because you can only pass machine credentials on boot up or log off.

0 Helpful

Jay233
Level 1
Level 1
In response to Jay233

‎07-05-2011 11:55 AM

Resolved,

After around 3 hours I managed to sort my problem out.

For anyone who is experiencing the same problems with Intel.

1)Use Proset 12.4.3.2 or later (install all administrator options)

2)Create an ITAdmin package with a PLC+PST profile( i.e. check persistent and prelogon check box) while creating profile the ITAdmin Profile Wizard.

3)Select PEAP as Authentication Type and MSCHAP-v2 as inner tunnel protocol. Use 'Use Secure password' as User Credentials. Uncheck 'For pre-logon connections,....' check-box.

4)Save the package and apply it on the machine where Proset client is installed.

Tested on ACS 5.1 for machine authentication and AD credentials.

Jay

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card