Configuring the condition on the ACS is the problem I am having. I have not been able to find where or how to add the "was machine authenticated condition". I have looked under Standard policy and exception policy but the ACS does not present those conditions. I only get in or not in under identity group. Do you know which menu I would find the condtions??

Thanks for the insight. I have it working partially, we have two laptops both dell one is a e6410 the other d630. The D630 works but the E6410 does not.

The client settings are identical. We are seeing the following error on the ACS:

D

You say that machine authentication fails ?

Then the next step is to understand why it fails (monitoring and report)

If your point was that a non-domain laptop can also user authenticate, then it's another story.

Nicolas here is what we are seeing in the log everything in the steps prior is successful

Evaluating Group Mapping Policy

11824 EAP-MSCHAP authentication attempt passed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response

11814 Inner EAP-MSCHAP authentication succeeded

11519 Prepared EAP-Success for inner EAP method

12314 PEAP inner method finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12306 PEAP authentication succeeded

11503 Prepared EAP-Success

24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

Here is the rule we have set and Have only one access service running

contains any (mydomain.net/Users/Domain Users; mydomain.net/enterprise/workstations) -ANY- = True Permit Access 13

The above means that there was no machine authentication before probably.

do you see a machine authentication attempt from that workstation ?

If not, it may be on the workstation itself that config needs a look.

Hi

I have a similar problem. I have added an authorization rule of the access service and selected "was machine authenticated=True" and "contains any(mydomain.net/Domain users;mydomain.net/Domain computers)"

BUT this authorization rule NEVER get used and instead the flow goes the default one which I set to permit access.

Any help is greatly appreciated.

Raoul

Hi Scott

I am using cisco acs 5.1. I have

-Joined the ACS to AD and enable Machine Auth and MAR, select both user and machine groups in the Directory Groups

-Created an access policy, enable PEAP-MSCHAPv2/Process Host Lookup, define conditions by using Identity Group and Was Machine Authenticated which looks like:

     1) if Identitty group  in machine group, then permit access

     2) if Identtity group in user group and Was Machine authenticated, then permit acces

     3) default deny access

What happened is both authorization rules do not get selected and set the default one to allow access and it is the one that gets used.

Thanks