12-28-2010 12:51 AM - edited 07-03-2021 07:35 PM
Hi;
I am having issues with PEAP + Machine Authentication in ACS 5.1. Without machine authentication peap is working fine. Is something we have to do with the MAR vale .
Please Confirm ?
12-28-2010 02:42 AM
Hi,
You will need o be more specific so we can help you.
What exactly is happening/not working?
Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.
Is your PC doing machine authentication?
HTH,
Tiag
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-28-2010 02:47 AM
Sorry. i dont understand HTH & Tiag
12-28-2010 02:50 AM
Thats the main issue. Machine authentication is not happening. These are the configuration steps i did
1. Enabled the Machine Authentication
2. Enable MAR with value 8500 Hrs
3. Enabled Host Lookup
4. In the service set " WAS Machine Authenticated =True" Please add if i missout anything to support machine authentication.
For the authentication i created a group called staff. Does the machine need to be a member of that or it can be in any group under the domain.
12-28-2010 03:01 AM
Hi,
You need to configure the machine itself to do machine authnetication.
And please note that machine authentication occurs by default only at boot up of the PC.
HTH,
Tiago
12-28-2010 03:04 AM
that i did. i am trying with windows 7 machine. there is an option to select machine or user authentication.
12-28-2010 03:16 AM
So, do you see the machine doing authentication?
On the ACS logs do you see the machine host name ons the passed/failed authentications?
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-28-2010 03:20 AM
yes. i can see the hostname in the failed attempts.
12-28-2010 03:24 AM
Ok, so why is it failing?
Please be aware that machine authentication has to be done against AD.
Do you have the ACS joined to AD and configured the Service Policy to use AD as identity Store to authenticate the machine?
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-28-2010 03:28 AM
i didnt see any specific filed in the acs to use one group for user and one group for laptop. What i did is that moved the machine and the user to a single identity group and mapped it in the access policy.
12-28-2010 03:34 AM
What identity store are you using for the machine authentication?
Please be aware that machine authentication has to be done against AD.
Do you have the ACS joined to AD and configured the Service Policy to use AD as identity Store to authenticate the machine?
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-28-2010 02:53 AM
Hi,
HTH = Hope This Helps
Tiag = Tiago which is my name (i missed the 'o').
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: