beautypg.com

Microsoft windows and machine authentication – Cisco 3.3 User Manual

Page 504

background image

Chapter 13 User Databases

Windows User Database

13-20

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Calling-Station-Id value not found in the cache—Cisco Secure ACS
assigns the user to the user group specified by “Group map for successful
user authentication without machine authentication” list. This can
include the group.

Note

User profile settings always override group profile settings. If a user
profile grants an authorization that is denied by the group specified in
the “Group map for successful user authentication without machine
authentication” list, Cisco Secure ACS grants the authorization.

The MAR feature supports full EAP-TLS and Microsoft PEAP authentication, as
well as resumed sessions for EAP-TLS and Microsoft PEAP and fast
reconnections for Microsoft PEAP.

The MAR feature has the following limitations and requirements:

Machine authentication must be enabled.

Users must authenticate with EAP-TLS or a Microsoft PEAP client. MAR
does not apply to users authenticated by other protocols, such as EAP-FAST,
LEAP, or MS-CHAP.

The AAA client must send a value in the IETF RADIUS Calling-Station-Id
attribute (31).

Cisco Secure ACS does not replicate the cache of Calling-Station-Id attribute
values from successful machine authentications.

Microsoft Windows and Machine Authentication

Cisco Secure ACS supports machine authentication with Active Directory in
Windows 2000. To enable machine authentication support in Windows 2000
Active Directory you must:

Apply Service Pack 4 to the computer running Active Directory.

Complete the steps in

Microsoft Knowledge Base Article 306260: Cannot

Modify Dial-In Permissions for Computers That Use Wireless Networking

.