I'm trying to set-up a limited deployment of dot1x authentication on some wired 4506/3550 connections. As we already have ACS (3.3.2) linked into our domain database, running through a couple of the Cisco guides I thought it should be pretty straightforward.
We don't have a Microsoft CA integrated into our domain yet, so I started by generating a self-signed cert on the ACS server. I enabled PEAP machine authentication in the Windows external DB configuration and also enabled PEAP in the global authentication setup. I also ensured that my Windows database was selected in the unknown user policy setting.
I manually added the self signed certificate into both the user and machine certificate stores as a trusted root CA and then selected the appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).
I was initially having problems authenticating and after investigating, it transpired that the user authentication element of PEAP seemed to be working, it's machine authentication that's failing. In the ACS logs I can see failure codes of "External DB account restriction" for the machine account login attempt.
I've asked the Windows guys to check the logs at their end to see if they can see any specific messages, but they've not found anything yet.
Can anyone see any flaws in my approach? Any help would be great!