Security

Hello all,  I am looking for some help as we deploy CPPM. We require both a machine and user auth to allow access. I see in the logs in Access tracker that the mchine auth's seem to fail at times, but pass at other times. Same machine, same 802.!X supplicant, same supplianct config using PEAP. When the system fails, the logs show a reject tue to the outer and inner identites not matching. The outer will contain host/machine.domain.com, the inner will contain host/machine. This is how we have the supplicant setup to behave and its expected. What we do not exect or understand is why does this fail? Espcially since we do see the machine successfully authenticate at other times! Could it be due to the fact the machine auth succecceds and is placed into the 24 hour machine auth cache, and subsequent machine auths from that device are rejected for that reason? I am grasping at straws on that theory but we really would like to find out why the PEAP outer/inner mismatch is causing a problem. Another thought is it could be a configuration item we need to address on the CPPM server config itself. Any thoughts or help would be appreciated. Thank you in advance. 

Jeff 

If you’re not using anonymous outer identity, both should match exactly. Are you seeing this behavior across all Windows devices in your environment?

Yes it does appear to be hitting all of the systems we have tested this with. But oddly we do see machine auth pass at times as well which I cannot explain. I will switch it to anonymous and try, and if that fails will set it up to match exactly and see if that resolves. 

 

Thank you,

Jeff