Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
25
Helpful
11
Replies

Machine Authentication in ACS 5.1

sreejith_r
Level 1
Level 1

‎12-28-2010 12:51 AM - edited ‎07-03-2021 07:35 PM

Hi;

          I am having issues with PEAP + Machine Authentication in ACS 5.1. Without machine authentication peap is working fine. Is something we have to do with the MAR vale .

Please Confirm ?

Labels:
0 Helpful
11 Replies 11

Tiago Antunes
Cisco Employee
Cisco Employee

‎12-28-2010 02:42 AM

Hi,

You will need o be more specific so we can help you.

What exactly is happening/not working?

Please keep in mind that with MAR, the PC needs to do machine authentication prior to user login, as the ACS will only allow users to login from previously authenticated machines.

Is your PC doing machine authentication?

HTH,

Tiag

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

sreejith_r
Level 1
Level 1
In response to Tiago Antunes

‎12-28-2010 02:47 AM

Sorry. i dont understand HTH & Tiag

0 Helpful

sreejith_r
Level 1
Level 1
In response to sreejith_r

‎12-28-2010 02:50 AM

Thats the main issue. Machine authentication is  not happening. These are the configuration steps i did

1. Enabled the Machine Authentication

2. Enable MAR with value 8500 Hrs

3. Enabled Host Lookup

4. In the service set " WAS Machine Authenticated =True" Please add if i missout anything to support machine authentication.

For the authentication i created a group called staff. Does the machine need to be a member of that or it can be in any group under the domain.

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to sreejith_r

‎12-28-2010 03:01 AM

Hi,

You need to configure the machine itself to do machine authnetication.

And please note that machine authentication occurs by default only at boot up of the PC.

HTH,

Tiago

sreejith_r
Level 1
Level 1
In response to Tiago Antunes

‎12-28-2010 03:04 AM

that i did. i am trying with windows 7 machine. there is an option to select machine or user authentication.

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to sreejith_r

‎12-28-2010 03:16 AM

So, do you see the machine doing authentication?

On the ACS logs do you see the machine host name ons the passed/failed authentications?

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

sreejith_r
Level 1
Level 1
In response to Tiago Antunes

‎12-28-2010 03:20 AM

yes. i can see the hostname in the failed attempts.

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to sreejith_r

‎12-28-2010 03:24 AM

Ok, so why is it failing?

Please be aware that machine authentication has to be done against AD.

Do you have the ACS joined to AD and configured the Service Policy to use AD as identity Store to authenticate the machine?

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

sreejith_r
Level 1
Level 1
In response to Tiago Antunes

‎12-28-2010 03:28 AM

i didnt see any specific filed in the acs to use one group for user and one group for laptop. What i did is that moved the machine and the user to a single identity group and mapped it in the access policy.

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to sreejith_r

‎12-28-2010 03:34 AM

What identity store are you using for the machine authentication?

Please be aware that machine authentication has to be done against AD.

Do you have the ACS joined to AD and configured the Service Policy to use AD as identity Store to authenticate the machine?

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Tiago Antunes
Cisco Employee
Cisco Employee
In response to sreejith_r

‎12-28-2010 02:53 AM

Hi,

HTH = Hope This Helps

Tiag = Tiago which is my name (i missed the 'o').

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card