Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PEAP machine authentication problem

Reply
Thread Tools

PEAP machine authentication problem

 
 
Can2002
Guest
Posts: n/a
 
      10-27-2006
I'm trying to set-up a limited deployment of dot1x authentication on
some wired 4506/3550 connections. As we already have ACS (3.3.2)
linked into our domain database, running through a couple of the Cisco
guides I thought it should be pretty straightforward.

We don't have a Microsoft CA integrated into our domain yet, so I
started by generating a self-signed cert on the ACS server. I enabled
PEAP machine authentication in the Windows external DB configuration
and also enabled PEAP in the global authentication setup. I also
ensured that my Windows database was selected in the unknown user
policy setting.

I manually added the self signed certificate into both the user and
machine certificate stores as a trusted root CA and then selected the
appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).

I was initially having problems authenticating and after investigating,
it transpired that the user authentication element of PEAP seemed to be
working, it's machine authentication that's failing. In the ACS logs I
can see failure codes of "External DB account restriction" for the
machine account login attempt.

I've asked the Windows guys to check the logs at their end to see if
they can see any specific messages, but they've not found anything yet.

Can anyone see any flaws in my approach? Any help would be great!

Cheers,
Chris

 
Reply With Quote
 
 
 
 
Thrill5
Guest
Posts: n/a
 
      11-01-2006

"Can2002" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> I'm trying to set-up a limited deployment of dot1x authentication on
> some wired 4506/3550 connections. As we already have ACS (3.3.2)
> linked into our domain database, running through a couple of the Cisco
> guides I thought it should be pretty straightforward.
>
> We don't have a Microsoft CA integrated into our domain yet, so I
> started by generating a self-signed cert on the ACS server. I enabled
> PEAP machine authentication in the Windows external DB configuration
> and also enabled PEAP in the global authentication setup. I also
> ensured that my Windows database was selected in the unknown user
> policy setting.
>
> I manually added the self signed certificate into both the user and
> machine certificate stores as a trusted root CA and then selected the
> appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).
>
> I was initially having problems authenticating and after investigating,
> it transpired that the user authentication element of PEAP seemed to be
> working, it's machine authentication that's failing. In the ACS logs I
> can see failure codes of "External DB account restriction" for the
> machine account login attempt.
>
> I've asked the Windows guys to check the logs at their end to see if
> they can see any specific messages, but they've not found anything yet.
>
> Can anyone see any flaws in my approach? Any help would be great!
>
> Cheers,
> Chris
>


External DB restriction means that the machine passed authentication but
could not log in due to some restriction by the external DB. You need to
make sure that the Machine Account is not locked out, or has some other type
of login restriction.

Scott


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to uninstall Cisco PEAP supplicant to use XP default PEAP =?Utf-8?B?RGVsb24=?= Wireless Networking 0 05-25-2007 05:50 AM
Configuring Cisco Secure ACS for Windows v3.2 With PEAP-MS-CHAPv2 Machine Authenticat ruchi Cisco 0 05-09-2006 11:26 AM
Windows Domain login unavailable even with PEAP machine authentication jmccabe1@gmail.com Wireless Networking 3 01-12-2006 04:45 PM
PEAP Configuration Woes - PEAP configuration help jester Cisco 1 12-20-2005 02:04 PM



Advertisments