Re: Auth Failed when LEAP Client has Windows Workstation Login R

mbrustman · ‎07-28-2004

We have a few generic accounts that are allowed to login only to one workstation a piece which is identified in Windows AD to prevent these accounts from roaming uncontrolled.

When the client attempts to authenticate to the Cisco Secure ACS ver 3.2(3) Build11 (Software) using LEAP and 1200AP with 12.2(15)JA, I receive a "Windows Workstation Not Allowed" message at the ACS and the attempt fails.

When we remove the workstation restriction on the Windows User then we are successful.This configuration is problematic for us when dealing with generic id security as well as profiles relating to MS Exchange.

We tried adding the workstation name of the Radius server as an allowed machine the client could login to as well as the laptop itself thinking that perhaps the AP or the Radius server used itself as the machine name when presenting this to the AD, but this failed as well. Could it be the AP that is altering this field being presented to the Windows AD

Anyone run into this situation or know of a way to confirm or deny where the problem lies with a sniffer trace?

Thanks in advance for any assistance.

dewman03 · ‎07-28-2004

When you say the accounts are allowed to login to only one workstation apiece, do you mean you allow only one concurrent connection for the account. Well, im not too familiar with AD restrictions but could you increase this to two concurrent connections, maby ACS creates a connection of it own.

Also, you want to make sure you add the workstation to the RADIUS server as a NAS, network access server. You mentioned something like this but i was not clear on what you ment.

mbrustman · ‎07-29-2004

There are no concurrent connection settings that I am aware of in AD or in Windows NT without third party utilities or ResKit.

This is location of the settings in which I spoke of

AD

-MMC

-USERA (Properties)

-Account

-Log On To

-Enter Computer name(s)

NT

-User Manager

-UserA (Properties)

-Logon To

-Enter Computer name(s)

I am unable to locate any documentation or config samples stating that I need to, or how I would add Windows Workstations to the Cisco Secure Radius Server as a NAS device. Do you know of any?

I would hope that this would not be a requirement in that I have several thousand workstations to contend with and as I mentioned when I remove the user restriction in the AD/NT Domain for the client they can logon fine.

This added security refinement of controlling from which workstation a client can login fron can also in my opinion go along way in adding another security layer to prevent the exposure of someone obtaining a user credential through a LEAP attack and then attempting to login at a different workstation....unless? one could alter this auth packet to the AP then to the Radius server and then to the Domain Controllers with a forged workstation name.

cperroquin · ‎08-21-2006

Did you get an answer ?

Because we'd just ran in the same problem.

In fact without LEAP, just telnet authentication with TACACS+. Without the workstation restriction in AD we could login with we can't with the same error.

mmatulevich · ‎06-18-2007

Came across this thread and wanted to bump it up - we are having the same problem where we want to "lockdown" accounts on laptops at our site, but we keep failing 802.1x leap authentication. ACS reports windows workstation not allowed. All ACS and controller logs seem to be passing credentials fine, and that the problem may exist on the AD side.

Anyone have any progress or suggestions? Thanks in advance

mmatulevich · ‎06-20-2007

Resolved. added CISCO as an allowable computer to the locked down account on the AD and it works fine.

Auth Failed when LEAP Client has Windows Workstation Login Restriction