PEAP machine authentication problem

I'm trying to set-up a limited deployment of dot1x authentication on some wired 4506/3550 connections. As we already have ACS (3.3.2) linked into our domain database, running through a couple of the Cisco guides I thought it should be pretty straightforward.

We don't have a Microsoft CA integrated into our domain yet, so I started by generating a self-signed cert on the ACS server. I enabled PEAP machine authentication in the Windows external DB configuration and also enabled PEAP in the global authentication setup. I also ensured that my Windows database was selected in the unknown user policy setting.

I manually added the self signed certificate into both the user and machine certificate stores as a trusted root CA and then selected the appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).

I was initially having problems authenticating and after investigating, it transpired that the user authentication element of PEAP seemed to be working, it's machine authentication that's failing. In the ACS logs I can see failure codes of "External DB account restriction" for the machine account login attempt.

I've asked the Windows guys to check the logs at their end to see if they can see any specific messages, but they've not found anything yet.

Can anyone see any flaws in my approach? Any help would be great!

Cheers, Chris

Reply to
Loading thread data ...

External DB restriction means that the machine passed authentication but could not log in due to some restriction by the external DB. You need to make sure that the Machine Account is not locked out, or has some other type of login restriction.


Reply to
Thrill5 Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.