Cisco 3.3 User Manual

Page 513

Advertising
background image

13-29

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 13 User Databases

Windows User Database

EAP-TLS and PEAP machine authentication name prefix—This box
defines the string of characters that Cisco Secure ACS adds to the beginning
of any machine name being authenticated. By default, the end-user client
prefixes machine names with “host/”. If any text is present in the PEAP
machine authentication name prefix box, Cisco Secure ACS prefixes the
machine name with this instead.

Note

If you configure the EAP-TLS and PEAP machine authentication
name prefix box with a string other than “host/”, authentication may
fail.

Enable machine access restrictions—If you enable PEAP or EAP-TLS
machine authentication, the “Enable machine access restrictions” check box
controls whether Cisco Secure ACS restricts network access of users who
access the network with computer that fail machine authentication. For more
information about the MAR feature, see

Machine Access Restrictions,

page 13-19

.

Note

Be sure you have enabled the types of machine authentication that
your Windows computers are configured to use—either PEAP
machine authentication or EAP-TLS authentication, or both. If the
MAR feature is enabled but Cisco Secure ACS does not perform
machine authentication for a computer, EAP-TLS and Microsoft
PEAP users accessing the network with that computer will be
assigned to the group specified in the “Group map for successful user
authentication without machine authentication” list.

Tip

To enable machine access restrictions, you must specify a number greater than
zero in the Aging time (hours) box.

Aging time (hours)—This box specifies the number of hours that
Cisco Secure ACS caches IETF RADIUS Calling-Station-Id attribute values
from successful machine authentications, for use with the MAR feature. The
default value is zero hours, which means that Cisco Secure ACS does not
cache Calling-Station-Id values.

Advertising