cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1455
Views
10
Helpful
17
Replies

PEAP machine authentication

tsmarcyes
Level 1
Level 1

Im trying to use PEAP machine authentication from a winxpSP2 client to ACS 4.0 using WIRED 802.1x.

PEAP user authentication works just fine, the LAN connection comes up fine and i enter the user credentials and the connection comes up. However, when I restart the machine, I can't log in with an uncached user account because it saids it cant contact a domain controller. This makes me believe that computer authentication isnt working. Im not sure if you should see the computer authentication in ACS reports and activity and if so I'm not.

Here's a brief summary of my config.

Winxp

-checked PEAP authentication and "authentication as computer when computer information is available"

-did not check any advanced settings in the PEAP properties (validate server certificate, etc...)

ACS

-installed ACS self certificate

-configured "enable PEAP machine authent" under Machine Authentication in the External User Database for windows databases.

Not that you should have to with PEAP (non-TLS) but, I installed the ACS self certificate on the client.

I found this microsoft article but i dont know if pertains to machine authentication. I was wondering if someone could confirm this was my problem.

http://support.microsoft.com/kb/885453

17 Replies 17

Vivek Santuka
Cisco Employee
Cisco Employee

Hi,

Machine authentication will be seen on the failed/passed reports.

KB 885453 will apply to machine auth also. Its worth having the fix.

Regards,

Vivek

magurwara
Level 1
Level 1

1. If you have "validate server certificate" under the advanced tab (it is checked by default) then you need to have mechanism to validate the certificate. Since you have installed the certificate on the client, that should work fine.

2. Machine authentication takes place even if the user is not logged on, so as Vivek mentioned, you should see the machine authentication attempts under ACS passed/failed authentications regardless of user logon that follows. I presume you have turned on passed authentication logging as it is not turned on by default.

3. By the way, when you turn on machine authentication, on some XP SP2 versions, if machine authentication is successful, user authentication does not take place. You will need registry editing to make sure that both machine and users are required to authenticate.

4.Make sure you have PEAP configured in ACS for both user and machine authentication. ACS requires that user and machine authentication use the same protocol.

I dont have "validate server certificate" enabled.

I'm not seeing any failed attempts for the machine.

I'm having kind of the opposite problem. User authentication is working fine, machine is not.

I have PEAP enabled for both user and machine authentication in ACS.

Is there any way to force the machine to try to authenticate with machine authentication. In other words, I'm just assuming that machine authentication is not working because I cant log into the domain when an uncache user, meaning that its not able to contact the domain controller because the connection is not up. Or is there any way to troubleshoot machine autehntication. I've looked in the event viewer but dont see anything. Is there any way to see if the machine is even "TRYING" machine authentication. I mean the checkbox is checked but its not showing up in failed authents. in ACS.

With regard to what vivek said, do any of yall have the hotfix for this issue or know where I can get this without having to call microsoft. I dont know if you read the article or not, but it saids you have to pay to call microsoft and they "MIGHT" reimburse you if this is the issue.

Also, with this know microsoft issue, does anyone know if this is all computer NICs that the PEAP error is on or just some NICs.

Thanks

Hi,

My bad, you need the registry changes described in the following link :-

http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true

Let me know if this helps.

Regards,

Vivek

Unfortunately, the registry settings didnt help. ( I assume you meant the Auth registry key and the SupplicantMode registry key) First of all, those keys werent even there and i had to create them. Second, when I did use them, it seemed to mess with user authentication and still no machine authentication.

Like i said before, it doesnt even seem like the XP machine is even trying machine authentication. I debug aaa, dot1x, and radius messages and NOTHING comes up on my switch when i log off or restart my machine which should be the time that machine authentication takes place. Also, ACS shows nothing in failed or passed, but user authen it shows up in the logs just fine.

Can you check the following:

1. Do you have autologon configured on your Windows desktop?

2. What are the current settings on the registry keys "AuthMode" and "SupplicantMode"?

3. What is your unknown user policy?

4. You have static users configured in ACS or you are authenticating against Windows AD?

5. Do you have MAC Authentication Bypass configured on your switch?

1. No, dont have autologon

2. Auth - 1 Supp - 2

3. Use windows database

4. Both

5. No

Do I need to change one of these?

On mac authentication bypass, I dont have port security so that shouldnt matter, correct?

You should set the following combination:

AuthMode = 1

SupplicantMode = 3

Currently you have SupplicantMode = 2 which leaves it to the machine to determine when to send the EAPOL start message. Setting it to 3 ensures that each time the machine associates it sends an EAPOL start message to initiate the 802.1x authentication process.

It sends EAP on association, so I'm assuming on a WIRED connection, that it will send EAP on whether it detects the port of the switch?

Yes that is correct. Anytime the 802.1x process is triggered it will send the EAP.

With SupplicantMode set to 2 it is possible that when the machine boots, the network drivers are not ready on the machine when the switch is trying to initiate EAPoL, so the machine might not respond to it. This could be happening in your case as well.

Have you tried with SupplicantMode=3 yet?

Tried all combinations and computer auth. still not working.

If possible, please attach your switch configuration.

Ok, heres my XP, switch, and ACS config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: