Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
1
Replies

EAP-TLS Machine only Authentication with Cisco ACS Appliance (and WinXP LT)

kfarrington
Level 3
Level 3

‎09-24-2008 03:17 AM - edited ‎07-03-2021 04:31 PM

Hi all,

Is it possible to have a the following

LT --------WCS ---------ACS ---------RA ------AD DC

Now is it possible to have the Laptop just use EAP-TLS Machine auth to the ACS only, without using the external AD?

The plan is to use AD eventually, but for a proof-of-concept, just would like the LT for this stage to machine auth with the ACS?

All the correct certs are on the ACS and LT.

The LT is connecting to the ACS but in the faulied radius attempts, we get the following :-

Machine authentication is not permitted

I thought I may have to set up a user name in the ACS internal DB with the hostname of the LT, but then you have to set a password, so now I am thinking that this is not possible?

Im sure ACS should be able to do a full machine eap-tls auth with a laptop?

If anyone could help?

Many thx

Ken

Labels:
0 Helpful
1 Reply 1

miwitte
Level 4
Level 4

‎09-24-2008 08:20 AM

You need AD to verify that the machine is a domain memeber(Machine Auth). What kinfd of certs are you using for the ACS and client? Also there is a registry key that must be changed to allow the supplicant to use machine based instead of user based[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"AuthMode"=dword:00000002

"SupplicantMode"=dword:00000003

The auth mode 2 makes it machine based, and SupplicantMode 3 makes it send a EAP packet first. You might try to uncheck the machine auth box and just put the machine name as a user.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card