PEAP machine authentication problem

Discussion in 'Cisco' started by Can2002, Oct 27, 2006.

  1. Can2002

    Can2002 Guest

    I'm trying to set-up a limited deployment of dot1x authentication on
    some wired 4506/3550 connections. As we already have ACS (3.3.2)
    linked into our domain database, running through a couple of the Cisco
    guides I thought it should be pretty straightforward.

    We don't have a Microsoft CA integrated into our domain yet, so I
    started by generating a self-signed cert on the ACS server. I enabled
    PEAP machine authentication in the Windows external DB configuration
    and also enabled PEAP in the global authentication setup. I also
    ensured that my Windows database was selected in the unknown user
    policy setting.

    I manually added the self signed certificate into both the user and
    machine certificate stores as a trusted root CA and then selected the
    appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).

    I was initially having problems authenticating and after investigating,
    it transpired that the user authentication element of PEAP seemed to be
    working, it's machine authentication that's failing. In the ACS logs I
    can see failure codes of "External DB account restriction" for the
    machine account login attempt.

    I've asked the Windows guys to check the logs at their end to see if
    they can see any specific messages, but they've not found anything yet.

    Can anyone see any flaws in my approach? Any help would be great!

    Cheers,
    Chris
     
    Can2002, Oct 27, 2006
    #1
    1. Advertising

  2. Can2002

    Thrill5 Guest

    "Can2002" <> wrote in message
    news:...
    > I'm trying to set-up a limited deployment of dot1x authentication on
    > some wired 4506/3550 connections. As we already have ACS (3.3.2)
    > linked into our domain database, running through a couple of the Cisco
    > guides I thought it should be pretty straightforward.
    >
    > We don't have a Microsoft CA integrated into our domain yet, so I
    > started by generating a self-signed cert on the ACS server. I enabled
    > PEAP machine authentication in the Windows external DB configuration
    > and also enabled PEAP in the global authentication setup. I also
    > ensured that my Windows database was selected in the unknown user
    > policy setting.
    >
    > I manually added the self signed certificate into both the user and
    > machine certificate stores as a trusted root CA and then selected the
    > appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).
    >
    > I was initially having problems authenticating and after investigating,
    > it transpired that the user authentication element of PEAP seemed to be
    > working, it's machine authentication that's failing. In the ACS logs I
    > can see failure codes of "External DB account restriction" for the
    > machine account login attempt.
    >
    > I've asked the Windows guys to check the logs at their end to see if
    > they can see any specific messages, but they've not found anything yet.
    >
    > Can anyone see any flaws in my approach? Any help would be great!
    >
    > Cheers,
    > Chris
    >


    External DB restriction means that the machine passed authentication but
    could not log in due to some restriction by the external DB. You need to
    make sure that the Machine Account is not locked out, or has some other type
    of login restriction.

    Scott
     
    Thrill5, Nov 1, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Edward W. Ray

    How to implement PEAP-EAP-TLD authentication?

    Edward W. Ray, May 6, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    3,844
    Jobe Gates
    May 26, 2005
  2. =?Utf-8?B?TWlrZSBNY0FsaXN0ZXI=?=

    Don't cache PEAP authentication information on Win XP SP2

    =?Utf-8?B?TWlrZSBNY0FsaXN0ZXI=?=, Aug 12, 2005, in forum: Wireless Networking
    Replies:
    5
    Views:
    3,354
    =?Utf-8?B?VmFzdQ==?=
    Nov 4, 2005
  3. Replies:
    3
    Views:
    3,156
  4. jester
    Replies:
    1
    Views:
    1,818
    Vivek
    Dec 20, 2005
  5. =?Utf-8?B?RGVsb24=?=

    How to uninstall Cisco PEAP supplicant to use XP default PEAP

    =?Utf-8?B?RGVsb24=?=, May 25, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    974
    =?Utf-8?B?RGVsb24=?=
    May 25, 2007
Loading...

Share This Page