10-08-2014 07:26 AM
I am trying to be able to have a domain based laptop authenticate a user that has never logged into the laptop before. The Windows laptop is in the domain, i have checked the box to enforce machine authentication, but in the logs on the controller I am seeing the MAC address of the machine trying to log into the controller locally.
If I test with an account that has logged into the laptop prior, I am able to associate to the SSID without issue using RADIUS. I am not having a problem with that.
I need to be able to get the machine (the laptop) to associate to the SSID prior to any user logon so as I can then get the user that has never logged in prior to authenticate properly! I have played with the profiles, but either I am missing something or need to change the profile becasue I can't seem to find the way to "tell" the incoming machine association to use RADIUS.
What have I missed?
Solved! Go to Solution.
10-08-2014 07:40 AM
I have the default RADIUS piece, but have read what you are talking about. So, in other words, if I am reading into what you are saying: If I dont have the policy setup on the NPS server it will default to local on the controller? I guess where I am going with this, is shouldnt I see teh machine failing against radius first on NPS and on the controller?
The only error i am seeing is on the controller where is is basically saying <ERRS> |localdb| User a0:88:xx:xx:xx:48 Failed Authentication..
I will go to NPS now and add the policy..
10-08-2014 07:47 AM
Well, maybe looking at the wrong spot on the GUI, but the profile (which includes the user autehntication) has the policy to go to radius. In the profiles to use a machine, where and which attribute needs changed?
Basically, I have a profile built that is using radius for the user, I have checked the box to enforce machine authentication, is this not all of it?
10-08-2014 07:50 AM
Can you post your AAA profile?
Also, here's an explanation of how the local-userdb is involved in machine authentication.
10-08-2014 07:55 AM
Here is the profile I have (again the user side is working great) - but that user has had to have logged in wired first...
aaa profile "hir-adauth-profile"
10-08-2014 08:14 AM
Ok - so got an error at least on the radius server, now have to dig to undersatnd why. The PC i am using is in the domain, but the error I am seeing is:
Authentication was not successful because an unknown user name or incorrect password was used.
10-08-2014 09:34 AM
Do you have termination done at the controller or your radius server?
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA