Cisco :: ACS 5.2 Machine Authentication Fails Every 30 Days
Jan 9, 2012
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password".TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero. Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem
I have set up an ACS (5.2) to do EAP-TLS Machine and User Authentication.I am getting intermittent results with the machine authentication using the same laptop as a test client.When the machine authentication succeeds the RADIUS name shows as host/xxx-yyy.When the machine authentication fails the RADIUS name shows as xxx-yyy without the host/.
I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work. How to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.
I am currently authenticating wireless clients using PEAP User Authentication through a Cisco Wireless LAN Controller and Cisco ACS 4.2, which points to a Microsoft Active Directory external database. This does not keep users from configuring thier personal devices with thier Active Directory login information and connecting to the corporate wireless network. I can setup a client to use a certificate, machine authentication and user authentication, but I havent been able to REQUIRE the certificate and or machine authentication to authenticate to my wireless network.
>I now have the Windows External Database Configuration, ACS External Database setup with Enable PEAP Machine Authentication and Enable machine access restrictions. With the client configuration set to use Computer Authentication, it passes the authentication through ACS (and AD), but the client can also be configured for User Authentication and also pass authenticaiton. Is there a way to only require Computer Authentication through a Cisco WLCCisco ACS?
I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.
My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?
Is this problem ACS related or down to the Intel supplicant.
we have a customer with a wifi deployment aruba 3600 controller based. Corporate SSID authentication is EAP-TLS double machine and user authentication through ACS 4.2 against AD and Microsoft AC PKI infraestructure based; it was working ok. After migrating from ACS 4.2 to 5.2, both authentication (machine and user) are reported as succeed by ACS but aruba controller does not recognize machine authentication. It seems that controller sees two authentication users and not an machine followed by and user one. We have revised configuration in detail and it seems correct. We begin thinking it could be a bug .
A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
I have the problem with machine authentication, our customer using Wireless Controller 2500 Series and need implement machine authentication on IAS server. So, as my understand is our controller may not change anything with configuration but we may configure IAS for support machine authentication, correct? but my question is how to? and is it work ?
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.
I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication. I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting . I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.Is there a way I could configure this without having to disable machine authentification for SSID B?
Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.
- I have a cisco unified network (ACS 5.1, Cisco controller, LWAP) and have configured ACS to integrate with AD.
- I am using this network for Laptops and wireless IP phones access.
- I have only one Service Selection rule for both Laptops and wireless IP phones. All the conditions attributes are set to ANY except Protocol = Radius
- I select a simple Identity Policy and I use a sequence where IP phones users are authenticated using ACS local user and the Laptops users are authenticated using AD
- Laptop users are authenticated using PEAP and IP phones users using EAP-Fast
Everything is working fine BUT I need to make 2 changes and eventhough I spent many hours hours on forums and reading articles and trying things myself I can't get the changes to work.
The first change is to use 2 Service Selection Rules one for the IP phones and one for the Laptops. After adding another service selection rules that I put at the top, I tried many combinations to try and get the IP phones to use it but whatever I did (used different combinations of conditions), the IP phones always select the 2nd rule, which is the original one. The question is "what conditions to put in a service selection rule to make wireless IP phones use the rule).
The second change is that I want to add machine authentication so only Laptops that are in AD can access the network. AGain I tried various settings but can't get this to work.
I configured WiFi connection on Windows XP and Windows 7 with EAP-TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with computer authentication and computers certificates are autoenrolled from Microsoft PKI.It works well!
Now I configured Windows 8 with same configuration.First authentication works but if I manually disconnect and reconnect, I got this error on ACS: 22047 Principal username attribute is missing in client certificate.In EAP packets, we could see that Windows 8 sent a TLS session ticket but session was not resumed correctly by ACS..On ACS configuration, we checked this option "Enable EAP-TLS Session Resume" with session timeout "7200".
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get: ****************************************** Type : Error Source : acvpnagent Description : Function: CTransportWinHttp::WinHttpCallback File: .CTransportWinHttp.cpp Line: 2150
[code]....
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution.This is an intermittent fault and only effects users with both LAN and WLAN enabled. Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.Certificates are issues by group policy and only using computer authentication.
I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:
1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead 1d02h: RADIUS: Tried all servers. 1d02h: RADIUS: No valid server found. Trying any viable server 1d02h: RADIUS: Tried all servers. 1d02h: RADIUS: No response for id 10
I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble.The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web- browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this: url...
I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems. [code]Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.DHCP to guest-users from separate broadband-router which is def gwy and "DNS".On the virtual interfaces no hostname is configured.
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
Just purchased an E2000 (Firmware version 1.0.03) to use with DDNS. Much to my surprise there seems to be a problem with saving the password at the configuration screen. [code] With the above settings entered and the Update button pressed favorable results are obtained; the router reports that DynDNS.org updates okay. However once the "Save Settings" button is pressed an update fails with the error "Authorization failure bad ID or password".Is anyone else experiencing this issue? Is the password field limited to certain characters?
I have a 3845 router. Setup SSH Version 2generated rsa keys (1024)set login localtransport input ssh and telnet is enabled since I can't get ssh connection working When I connect using SSH, I get the following error. server refused authentication protocol.
I have a strange error on my home network that I cannot find a solution to.I have an Huawei SmartAX MT882 from TalkTalk acting as a modem connected to a D-Link DSL-G624T acting as a router/switch. Connected to the D-Link I have a Windows 7 Pro machine (64-bit, SP1) and an XP (home i think) machine (sp 2 i think).The SmartAX modem is set up to perform DHCP and DNS relaying and the D-Link has DHCP turned off and DNS relay turned off.The Win7 machine can access the network, get an IP address and access the internet without problems, regardless as to the status of the XP machine.The XP machine can access the network, get an IP address and access the internet with no problems ONLY of the win7 is powered up. When the win7 machine is off, the XP machine seems to drop about 25% of the ping packets between it and the D-Link router and has no internet access (because of this i assume). [code]
New Win-7 machine set up. I used the printer set-up wizard to install a networked printer in the new machine with absolutely no problem. Proved it would print from that machine.Now, I get a call informing me that her old XP machine, which had been printing to the network printer with no problems, will no longer print.Documents go into the print queue, but they don't get printed.No error messages show up.I did some messing around via remote access, and finally removed the printer with the intention of reinstalling it.Scanning for network printers turned up several redundant instances of the same printer with different names. Some are identified as "invalid" some a "access denied". Bottom line. I can't get any of the selections to install.On the Win-7 machine I did find a window that indicated that the printer is designated as being shared, but I didn't explicitly set it for sharing when I installed it. Also, I somehow got to a window that told me that for printers that were to be shared with other versions of windows I could optionally install drivers to support such machines. Didn't have the driver disk handy and took the window down. Now I can't even find it again.I need sorting this all out.Part of the problem is that out there in "network land" there are redundant remnants of previous installations that are being remembered inappropriately.
I have a network problem. My windows 7 machine is not detecting win xp machine whereas win xp machine is detecting win 7 machine. They are in the same workgroup named Home. And the networking system is set to work. I have left the homegroup I was previously in. I enabled file sharing for devices that use 40 bit and 50 bit encryption. On XP I have enabled NetBios over TCP/IP. File sharing is enabled on both computers. I think it's something obvious as both instalations on different computers are really fresh and both windows haven't been tampered with.
