Network access clients:
Microsoft supplicant:
Machine Authentication
ACS supports the authentication of computers that are running the
Microsoft Windows operating systems that support EAP computer
authentication, such as Windows XP with Service Pack 1. Machine
authentication, also called computer authentication, allows networks
services only for computers known to Active Directory. This feature is
especially useful for wireless networks, where unauthorized users
outside the physical premises of your workplace can access your wireless
access points.
When machine authentication is enabled, there are three different types
of authentications. When starting a computer, the authentications occur
in this order:
• Machine authentication—ACS
authenticates the computer prior to user authentication. ACS checks the
credentials that the computer provides against the Windows user
database. If you use Active Directory and the matching computer account
in Active Directory has the same credentials, the computer gains access
to Windows domain services.
• User domain authentication—If
machine authentication succeeded, the Windows domain authenticates the
user. If machine authentication failed, the computer does not have
access to Windows domain services and the user credentials are
authenticated by using cached credentials that the local operating
system retains. In this case, the user can log in to only the local
system. When a user is authenticated by cached credentials instead of
the domain, the computer does not enforce domain policies, such as
running login scripts that the domain dictates.
Tip If
a computer fails machine authentication and the user has not
successfully logged in to the domain by using the computer since the
most recent user password change, the cached credentials on the computer
will not match the new password. Instead, the cached credentials will
match an older password of the user, provided that the user once logged
in to the domain successfully from this computer.
• User network authentication—ACS
authenticates the user, allowing the user to have network connectivity.
If the user profile exists, the user database that is specified is used
to authenticate the user. While the user database is not required to be
the Windows user database, most Microsoft clients can be configured to
automatically perform network authentication by using the same
credentials used for user domain authentication. This method allows for a
single sign-on.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354014
