PEAP machine authentication

Unanswered Question
Apr 1st, 2007

Im trying to use PEAP machine authentication from a winxpSP2 client to ACS 4.0 using WIRED 802.1x.

PEAP user authentication works just fine, the LAN connection comes up fine and i enter the user credentials and the connection comes up. However, when I restart the machine, I can't log in with an uncached user account because it saids it cant contact a domain controller. This makes me believe that computer authentication isnt working. Im not sure if you should see the computer authentication in ACS reports and activity and if so I'm not.

Here's a brief summary of my config.

Winxp

-checked PEAP authentication and "authentication as computer when computer information is available"

-did not check any advanced settings in the PEAP properties (validate server certificate, etc...)

ACS

-installed ACS self certificate

-configured "enable PEAP machine authent" under Machine Authentication in the External User Database for windows databases.

Not that you should have to with PEAP (non-TLS) but, I installed the ACS self certificate on the client.

I found this microsoft article but i dont know if pertains to machine authentication. I was wondering if someone could confirm this was my problem.

http://support.microsoft.com/kb/885453

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Vivek Santuka Mon, 04/02/2007 - 06:29

Hi,

Machine authentication will be seen on the failed/passed reports.

KB 885453 will apply to machine auth also. Its worth having the fix.

Regards,

Vivek

magurwara Mon, 04/02/2007 - 08:52

1. If you have "validate server certificate" under the advanced tab (it is checked by default) then you need to have mechanism to validate the certificate. Since you have installed the certificate on the client, that should work fine.

2. Machine authentication takes place even if the user is not logged on, so as Vivek mentioned, you should see the machine authentication attempts under ACS passed/failed authentications regardless of user logon that follows. I presume you have turned on passed authentication logging as it is not turned on by default.

3. By the way, when you turn on machine authentication, on some XP SP2 versions, if machine authentication is successful, user authentication does not take place. You will need registry editing to make sure that both machine and users are required to authenticate.

4.Make sure you have PEAP configured in ACS for both user and machine authentication. ACS requires that user and machine authentication use the same protocol.

tsmarcyes Mon, 04/02/2007 - 09:14

I dont have "validate server certificate" enabled.

I'm not seeing any failed attempts for the machine.

I'm having kind of the opposite problem. User authentication is working fine, machine is not.

I have PEAP enabled for both user and machine authentication in ACS.

Is there any way to force the machine to try to authenticate with machine authentication. In other words, I'm just assuming that machine authentication is not working because I cant log into the domain when an uncache user, meaning that its not able to contact the domain controller because the connection is not up. Or is there any way to troubleshoot machine autehntication. I've looked in the event viewer but dont see anything. Is there any way to see if the machine is even "TRYING" machine authentication. I mean the checkbox is checked but its not showing up in failed authents. in ACS.

With regard to what vivek said, do any of yall have the hotfix for this issue or know where I can get this without having to call microsoft. I dont know if you read the article or not, but it saids you have to pay to call microsoft and they "MIGHT" reimburse you if this is the issue.

Also, with this know microsoft issue, does anyone know if this is all computer NICs that the PEAP error is on or just some NICs.

Thanks

tsmarcyes Mon, 04/02/2007 - 16:29

Unfortunately, the registry settings didnt help. ( I assume you meant the Auth registry key and the SupplicantMode registry key) First of all, those keys werent even there and i had to create them. Second, when I did use them, it seemed to mess with user authentication and still no machine authentication.

Like i said before, it doesnt even seem like the XP machine is even trying machine authentication. I debug aaa, dot1x, and radius messages and NOTHING comes up on my switch when i log off or restart my machine which should be the time that machine authentication takes place. Also, ACS shows nothing in failed or passed, but user authen it shows up in the logs just fine.

magurwara Mon, 04/02/2007 - 23:49

Can you check the following:

1. Do you have autologon configured on your Windows desktop?

2. What are the current settings on the registry keys "AuthMode" and "SupplicantMode"?

3. What is your unknown user policy?

4. You have static users configured in ACS or you are authenticating against Windows AD?

5. Do you have MAC Authentication Bypass configured on your switch?

tsmarcyes Tue, 04/03/2007 - 04:48

1. No, dont have autologon

2. Auth - 1 Supp - 2

3. Use windows database

4. Both

5. No

Do I need to change one of these?

tsmarcyes Tue, 04/03/2007 - 04:50

On mac authentication bypass, I dont have port security so that shouldnt matter, correct?

magurwara Tue, 04/03/2007 - 08:55

You should set the following combination:

AuthMode = 1

SupplicantMode = 3

Currently you have SupplicantMode = 2 which leaves it to the machine to determine when to send the EAPOL start message. Setting it to 3 ensures that each time the machine associates it sends an EAPOL start message to initiate the 802.1x authentication process.

tsmarcyes Tue, 04/03/2007 - 12:27

It sends EAP on association, so I'm assuming on a WIRED connection, that it will send EAP on whether it detects the port of the switch?

magurwara Tue, 04/03/2007 - 17:33

Yes that is correct. Anytime the 802.1x process is triggered it will send the EAP.

With SupplicantMode set to 2 it is possible that when the machine boots, the network drivers are not ready on the machine when the switch is trying to initiate EAPoL, so the machine might not respond to it. This could be happening in your case as well.

Have you tried with SupplicantMode=3 yet?

tsmarcyes Wed, 04/04/2007 - 05:00

Tried all combinations and computer auth. still not working.

magurwara Thu, 04/05/2007 - 00:11

1. Your Second Phase EAP Type in XP is set to Generic Token Card. Please brief me on what token system are you using.

1.a Also need ACS screenshot for Windows Database configuration and Token Card server configuration in ACS.

2. Under Windows EAP settings in ACS, I would leave Machine Access Restrictions unchecked until everything is working.

3. XP registry settings look ok.

4. You are not using XP's native client? What are you using?

tsmarcyes Thu, 04/05/2007 - 04:48

1. In the second phase of the EAP type, you can't set it on anything else other than GTC. However, if you click on the advanced properties of GTC, it saids either use static password 2000, XP, etc or use a token, and you specify the token. So, I'm not quite sure about that, however I have another client whose NIC actually looks a little bit different and you can specify PEAP MSCHAP-2 and I still have the same problem.

2. I read somewhere that supposedly if you wanted to do machine auth and user, you needed this. Highly skepitical, but I've tried both ways, on or off.

4. Not sure on your question, what do you mean I'm not using XP's native client? I havent changed anything on the XP machine.

magurwara Tue, 04/10/2007 - 17:16

1./4. Windows XP (SP2) does not support EAP GTC protocol so the presence of that option implies you have something else installed as well.

2. Machine access restrictions are used if you want to restrict/differentiate users who authenticate successfully but their machines do not authenticate successfully. Otherwise you can do machine and user authentications independantly of this setting.

Have you added the command "aaa authorization network default group radius" to your router configuration?

Also, is your ACS actually listning on ports 1812 and 1813? By default when you don't specify a port in the radius-server command, it picks up port 1645 and 1646.

I think you mentioned this earlier, but does anything show up on the router when you use the "debug radius" command on the router?

Actions

This Discussion