Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   PEAP machine authentication problem (http://www.velocityreviews.com/forums/t379451-peap-machine-authentication-problem.html)

Can2002 10-27-2006 09:01 AM

PEAP machine authentication problem
 
I'm trying to set-up a limited deployment of dot1x authentication on
some wired 4506/3550 connections. As we already have ACS (3.3.2)
linked into our domain database, running through a couple of the Cisco
guides I thought it should be pretty straightforward.

We don't have a Microsoft CA integrated into our domain yet, so I
started by generating a self-signed cert on the ACS server. I enabled
PEAP machine authentication in the Windows external DB configuration
and also enabled PEAP in the global authentication setup. I also
ensured that my Windows database was selected in the unknown user
policy setting.

I manually added the self signed certificate into both the user and
machine certificate stores as a trusted root CA and then selected the
appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).

I was initially having problems authenticating and after investigating,
it transpired that the user authentication element of PEAP seemed to be
working, it's machine authentication that's failing. In the ACS logs I
can see failure codes of "External DB account restriction" for the
machine account login attempt.

I've asked the Windows guys to check the logs at their end to see if
they can see any specific messages, but they've not found anything yet.

Can anyone see any flaws in my approach? Any help would be great!

Cheers,
Chris


Thrill5 11-01-2006 04:51 AM

Re: PEAP machine authentication problem
 

"Can2002" <can2002@nospammail.net> wrote in message
news:1161939684.051502.38310@f16g2000cwb.googlegro ups.com...
> I'm trying to set-up a limited deployment of dot1x authentication on
> some wired 4506/3550 connections. As we already have ACS (3.3.2)
> linked into our domain database, running through a couple of the Cisco
> guides I thought it should be pretty straightforward.
>
> We don't have a Microsoft CA integrated into our domain yet, so I
> started by generating a self-signed cert on the ACS server. I enabled
> PEAP machine authentication in the Windows external DB configuration
> and also enabled PEAP in the global authentication setup. I also
> ensured that my Windows database was selected in the unknown user
> policy setting.
>
> I manually added the self signed certificate into both the user and
> machine certificate stores as a trusted root CA and then selected the
> appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).
>
> I was initially having problems authenticating and after investigating,
> it transpired that the user authentication element of PEAP seemed to be
> working, it's machine authentication that's failing. In the ACS logs I
> can see failure codes of "External DB account restriction" for the
> machine account login attempt.
>
> I've asked the Windows guys to check the logs at their end to see if
> they can see any specific messages, but they've not found anything yet.
>
> Can anyone see any flaws in my approach? Any help would be great!
>
> Cheers,
> Chris
>


External DB restriction means that the machine passed authentication but
could not log in due to some restriction by the external DB. You need to
make sure that the Machine Account is not locked out, or has some other type
of login restriction.

Scott




All times are GMT. The time now is 08:26 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.