IC 4500 running 3.0R2 (build 13209)
I was wondering if anyone has had success in using Odyssey and machine authentication without a certificate? I'm trying to use EAP-PEAP with the Realm prefilled on the the JUAC tab. I have it set to change to user auth once someone logs in. My whole intention for this is so we can RDP to a PC on a 802.1 port.
A policy trace shows (sanitized):
PTR23373 2009/09/15 13:19:19 - [0.0.0.0] - PCNAME.DOMAIN.COM(Computers) - User lookup failed to LDAP server Computers LDAP:
Info PTR23334 2009/09/15 13:19:19 - [0.0.0.0] - PCNAME.DOMAIN.COM(Computers) - Sign-in rejected using auth server Computers LDAP (LDAP Server). Reason: Failed
Info PTR23337 2009/09/15 13:19:52 - [0.0.0.0] - PCNAME.DOMAIN.COM(Computers) - Requesting more sign-in prompts as required by auth server "Computers LDAP"
Info PTR23329 2009/09/15 13:19:52 - [0.0.0.0] - PCNAME.DOMAIN.COM(Computers) - Resuming sign-in process
Info PTR23333 2009/09/15 13:19:52 - [0.0.0.0] - PCNAME.DOMAIN.COM(Computers) - Sign-in prompt password = "****"
Info PTR23370 2009/09/15 13:19:52 - [0.0.0.0] - PCNAME.DOMAIN.COM(Computers) - Attempting to authenticate user "PCNAME.DOMAIN.COM" with auth server "Computers LDAP"
I'm at a loss as to whether LDAP (AD) is rejecting the password or if it is a problem of locating the machine account itself. Nothing is logged on the Active Directory side which makes me suspicious it is not finding the account in the AD OU.
Any thoughts appreciated.
Solved! Go to Solution.
We are also in a positoon here where we want to use machine accounts on the OAC client to get some connectivity to the machine using dot1x before a user logs in and are having some issues getting this to work.
We would be greatly interested to hear of anyone getting this to work and also what settings managed to acheive your required goal. So far we have not got the errors you see but its still early for us nd I suspect we will be posting morr info including logs shortly.
Any light that can be shed on this would be greatly appreciated.
I am really sorry about the delay in this.
We did manage to get it resolved using the means you mentioned and it did indeed require a call to JTAC to confirm the machine auth stuff. Like you, the JTAC guy was very knowledgeable too may be the same one hehe.
We then hit other issues on this install, namely down to cisco switches, dot1x and return atrributes needed.
Does seem that tehre is a lack of example docs for this particular product. The docs are good and do have indeed all the info we need, but its not obvious nor is it easy to find. I suspect that this will get corrected in time as the product gets used a lot more but it was rather disappointing and frustrating when we could not get decent detailed info on this.
Still a great product tho.
Sounds like we've encountered a similar adventure. We're using Cisco 3560 switches and Avaya IP phones and getting all the pieces to play nicely took some time. We ended up using MAB for the phones since our Telecom folks have no interest in putting credentials into all of the phones. So now we have PCs doing machine and user auth connecting through the port on the Avaya phones which in turn connects to Cisco switches.
Indeed it was cisco switches but seimens phones,
Similar MAC auth (using wildcards) and much wailings and gnashings of teeth to find out that the cisco needed to have the voice vlan attrib passed to it when we enabled dot1x (when it quite happily functioned fine without it when dot1x was disabled)
All in all, a very interesting deployment but would have rather I been able to rely on example docs than through the school of harship hehe.
I had to find that too. In case anyone else reads this:
Yup, thats it. You beat me to it.
I was looking for the details but you are obviously quicker.
So if you are trying to use machine auth with machine credentials then you can't use an LDAP realm.
You must use an AD auth server. If your AD server is 2008 then you should checkout the following KB:
I've just come across this thread while doing some searching, and it's exactly what I'd like to do with our network also ... so I'm really happy to see that it's possible !
I just have a few questions though:
1. When you say that the authentication server must be AD and not LDAP - do you mean that a domain controller must authenticate the computer directly ? Or can the computer authenticate against a Juniper UAC product (IC4000 in our case probably) which then passes the credentials to AD ?
2. Can all of this be done over EAP without an IP address ? Or does the machine require an IP address in order to do the computer authentication ?
3. If it can be done without an IP address, can the machine do normal AD based "tasks" after it has successfully authenticated (and gotten an IP address) such as apply GPO etc ?
4. I think the answer to this is yes (based on what I've read above) but is it also possible to authenticate the user after the computer has been authenticated ?
Sorry, I realize this isn't my thread, but as it's related so closely to what I'm trying to do, I thought I'd reply here