It is just wireless. I don't want to set the default rule to deny otherwise users will not be able to access the network. The autorization rule should get matched but can't put my finger as to why it doesn't.

you said your condition had 2 items "was machien authenticated" and a group condition too

What if you just put "was machine authenticated", would it then hit ? if not, then it's the "was machine authenticated" that is the problem

Could you take a screen shot of your policy and also the passed authentication on your default policy.

Sent from my iPhone

you guys have ny luck, i am also hitting the same  rock...i.e. the message is

24423  ACS has not been able to confirm previous successful machine authentication for user in Active Directory

User authentication works fine, but when i  enable both UA/MA, it does not budge.

Do you see the machine sending machine credentials when it fails? In Windows 7 you need to setup the client with User and Machine. In windows XP you need to do a registry hack to send machine auth.

http://support.microsoft.com/kb/929847

Sent from my iPhone

Hi Scott,

had tried that registry hack earlier, with values of 0,1,2 all..no success

Also when i disable the MAR (Machine Access Restrictions) and just check for Machine Authentication, it does not give me an error mentioned above, but it still is no go.

Wondering if it is something to do on AD (but user auth works) or missing something in ACS..also will check up with Windows 7 , hope it works there.

Trying to figure out the way to interactivily debug the ACS logs and see what is it doing during these auth. sessions

Thanks

Can you post a screen shot of your policy? I know it works because I tested it out an deployed it a while ago.

Sent from my iPhone

Hi

Many thanks for your help so far. Below are the rules used.

The service selection rule

The authorization rules for the "Wireless Access" access service

Initially I was using authorization rules 1 and 2 then I disabled them and now that I am using only rule 3 that has only "Was Authenticated = True", as suggested by Nicolas, I can now hit the rule. I guess the "contains any" conditions in rules 1 and 2 did not match anything in AD (by the way I could not select these in Directory Groups and entered them manually).

But, does the fact that I can now hit authorization rule 3 mean that I am doing Machine Authentication against the entire of AD as no Directory Group is used?

Thanks

Raoul

You would need to look at the pass authentication log to see what rules and how the user is being granted access.  Your service selection rules are pretty wide open, so take a look at your log.

Hi Scott

That is precisely what I have been trying to do but for the life of me I cannot find where to access this on ACS.

This is the type of log I am after

On the left side, there is something that says monitor and reports or something like that. Wen you click on that, it will open another browser. You will find the logs there.

Sent from my iPhone

I have been using the "Monitoring and Report Viewer" but can't find on ACS5.1 where to display the log in the formay above.

I can look later... Not in front of my ACS at the moment.

Sent from my iPhone

Hi Scott, thanks for your concern, i checked it with the similar config and access for Window 7 and it works fine, but still nowhere with XP. Windows XP is even not sending anything in ACS logs that says machine accounts/authentication.