04-01-2007 05:18 PM - edited 03-10-2019 03:04 PM
Im trying to use PEAP machine authentication from a winxpSP2 client to ACS 4.0 using WIRED 802.1x.
PEAP user authentication works just fine, the LAN connection comes up fine and i enter the user credentials and the connection comes up. However, when I restart the machine, I can't log in with an uncached user account because it saids it cant contact a domain controller. This makes me believe that computer authentication isnt working. Im not sure if you should see the computer authentication in ACS reports and activity and if so I'm not.
Here's a brief summary of my config.
Winxp
-checked PEAP authentication and "authentication as computer when computer information is available"
-did not check any advanced settings in the PEAP properties (validate server certificate, etc...)
ACS
-installed ACS self certificate
-configured "enable PEAP machine authent" under Machine Authentication in the External User Database for windows databases.
Not that you should have to with PEAP (non-TLS) but, I installed the ACS self certificate on the client.
I found this microsoft article but i dont know if pertains to machine authentication. I was wondering if someone could confirm this was my problem.
04-02-2007 06:29 AM
Hi,
Machine authentication will be seen on the failed/passed reports.
KB 885453 will apply to machine auth also. Its worth having the fix.
Regards,
Vivek
04-02-2007 08:52 AM
1. If you have "validate server certificate" under the advanced tab (it is checked by default) then you need to have mechanism to validate the certificate. Since you have installed the certificate on the client, that should work fine.
2. Machine authentication takes place even if the user is not logged on, so as Vivek mentioned, you should see the machine authentication attempts under ACS passed/failed authentications regardless of user logon that follows. I presume you have turned on passed authentication logging as it is not turned on by default.
3. By the way, when you turn on machine authentication, on some XP SP2 versions, if machine authentication is successful, user authentication does not take place. You will need registry editing to make sure that both machine and users are required to authenticate.
4.Make sure you have PEAP configured in ACS for both user and machine authentication. ACS requires that user and machine authentication use the same protocol.
04-02-2007 09:14 AM
I dont have "validate server certificate" enabled.
I'm not seeing any failed attempts for the machine.
I'm having kind of the opposite problem. User authentication is working fine, machine is not.
I have PEAP enabled for both user and machine authentication in ACS.
Is there any way to force the machine to try to authenticate with machine authentication. In other words, I'm just assuming that machine authentication is not working because I cant log into the domain when an uncache user, meaning that its not able to contact the domain controller because the connection is not up. Or is there any way to troubleshoot machine autehntication. I've looked in the event viewer but dont see anything. Is there any way to see if the machine is even "TRYING" machine authentication. I mean the checkbox is checked but its not showing up in failed authents. in ACS.
With regard to what vivek said, do any of yall have the hotfix for this issue or know where I can get this without having to call microsoft. I dont know if you read the article or not, but it saids you have to pay to call microsoft and they "MIGHT" reimburse you if this is the issue.
Also, with this know microsoft issue, does anyone know if this is all computer NICs that the PEAP error is on or just some NICs.
Thanks
04-02-2007 09:27 AM
Hi,
My bad, you need the registry changes described in the following link :-
Let me know if this helps.
Regards,
Vivek
04-02-2007 04:29 PM
Unfortunately, the registry settings didnt help. ( I assume you meant the Auth registry key and the SupplicantMode registry key) First of all, those keys werent even there and i had to create them. Second, when I did use them, it seemed to mess with user authentication and still no machine authentication.
Like i said before, it doesnt even seem like the XP machine is even trying machine authentication. I debug aaa, dot1x, and radius messages and NOTHING comes up on my switch when i log off or restart my machine which should be the time that machine authentication takes place. Also, ACS shows nothing in failed or passed, but user authen it shows up in the logs just fine.
04-02-2007 11:49 PM
Can you check the following:
1. Do you have autologon configured on your Windows desktop?
2. What are the current settings on the registry keys "AuthMode" and "SupplicantMode"?
3. What is your unknown user policy?
4. You have static users configured in ACS or you are authenticating against Windows AD?
5. Do you have MAC Authentication Bypass configured on your switch?
04-03-2007 04:48 AM
1. No, dont have autologon
2. Auth - 1 Supp - 2
3. Use windows database
4. Both
5. No
Do I need to change one of these?
04-03-2007 04:50 AM
On mac authentication bypass, I dont have port security so that shouldnt matter, correct?
04-03-2007 08:55 AM
You should set the following combination:
AuthMode = 1
SupplicantMode = 3
Currently you have SupplicantMode = 2 which leaves it to the machine to determine when to send the EAPOL start message. Setting it to 3 ensures that each time the machine associates it sends an EAPOL start message to initiate the 802.1x authentication process.
04-03-2007 12:27 PM
It sends EAP on association, so I'm assuming on a WIRED connection, that it will send EAP on whether it detects the port of the switch?
04-03-2007 05:33 PM
Yes that is correct. Anytime the 802.1x process is triggered it will send the EAP.
With SupplicantMode set to 2 it is possible that when the machine boots, the network drivers are not ready on the machine when the switch is trying to initiate EAPoL, so the machine might not respond to it. This could be happening in your case as well.
Have you tried with SupplicantMode=3 yet?
04-04-2007 05:00 AM
Tried all combinations and computer auth. still not working.
04-04-2007 09:14 AM
If possible, please attach your switch configuration.
04-04-2007 03:21 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide