Pb 802.1X Computer authentication

Unanswered Question
Aug 6th, 2007
User Badges:

Hello


I want to know if some GPO parameters can prevent computer authentication 802.1X ?


Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only

And certain PC works fine and other not

And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK


If you have a solution to prevent out/in PC in the domain ?


Thanks for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Mon, 08/06/2007 - 09:07
User Badges:
  • Red, 2250 points or more

Hi,

I don't think so. What is the error you get on acs when computer fails authentication ?

s.berthier Mon, 08/06/2007 - 22:03
User Badges:

Reply ACS :

06/08/2007 17:20:46 Authen failed host/gval1080.XXX.XX Laptop 00-16-D3-39-7D-85 (Default) External DB user invalid or bad password .. .. 50007 10.253.104.94 .. .. 25 MS-PEAP .. gvanet01 ..



Jagdeep Gambhir Tue, 08/07/2007 - 04:52
User Badges:
  • Red, 2250 points or more

I would also need logs from remote agent.


ACS appliance---->System Configuration --> Service Control --> Level of detail - Full At this point, we need to duplicate the issue.


Now collect logs from remote agent,


C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs


I need only cswinagent logs. I'm assuming acs is on 4.1.1 23 ?


We need to make sure that acs and remote agent are sitting on same code,


Lets cross check that , on RA computer go to dos and change prompt to


C:\Program Files\Cisco\CiscoSecure ACS Agent\bin


Type csagent.exe -v and press Enter


Regards,

~JG

s.berthier Tue, 08/07/2007 - 05:27
User Badges:

Hello


When i do the command csagent -v the result is:

ACSRemoteAgent version 4.1(3.12)


and I have an Appliance ACS:

Cisco Secure ACS 4.1.3.12

Appliance Management Software 4.1.3.12

Appliance Base Image 4.1.1.4

CSA build 4.0.1.543.2 (Patch: 4_0_1_543)


and in the file cswinAgent i have this error

CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received

CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO

CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$

CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)

CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST

CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO

CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$

CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)

CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent


I don't know if this that you want

I have just change the domain name (DOMAIN-TEST) to confidential resaon


Thanks

Jagdeep Gambhir Tue, 08/07/2007 - 05:55
User Badges:
  • Red, 2250 points or more

Make sure that remote agent has proper permission assigned. ie act as a part of operating system and login as service/batch


Also on which operating system we have remote agent installed, please note that RA is not supported on win2003 SP2


Regards,

~JG

s.berthier Tue, 08/07/2007 - 06:09
User Badges:

The CSAgent is installed on a Windows 2003 Server with SP2 and it's work fine because the most part of Computer account are correctly authenticate.

The link between ACS and AD is do by an another server where the agent is install


When you disconnect and reconnect a PC to the domain the authentication is OK and all work fine.


I think is not an ACS or Agent problem but an AD Problem with the Password integration but I m not sure


the persmission on the agent is set as you say


jafrazie Tue, 08/07/2007 - 07:17
User Badges:
  • Cisco Employee,

There are no GPO parameters that can stop 1X from working. If you disconnect/reconnect to the domain, this is probably refreshing something that's stale on AD. 802.1X is the victim here. Mind you, network access is not there, but this sounds like a supplicant problem.


From the log snippet, looks like the machine's password is aged out. And you mentioned you were doing machine-auth only.


For Active Directory by default, the machine password that the client receives from AD

expires every 30 days. When this happens - the machine can not get authenticated and there is no provision for the machine password to be regenerated over the EAP session between the client and Domain Controller. It's just broken and network access is denied.


There is a bug with regard to how NETLOGON interacts with MS-CHAP. The system simply fails to allow the expired machine password

to be regenerated as is the case with User Authentication. AFAIK, there's no fix for this .. even in Vista.


So for customers just trying to do MSFT Machine Authentication without

User Authentication as fallback - it's not really a workable solution unfortunately.


Hope this helps,

P.s. Can you try to enable user-auth to confirm this?

s.berthier Tue, 08/07/2007 - 08:01
User Badges:

Thank you for your help


We doing an Machine authentication only because is work fine under Windows XP and don't prevent GPO application on the login or other thinks...


we work on this type of architecture under 3 workstations since few month without problems


we change a parameters on User Account that permit to prepare laptop ( parameter : Store password using reversible encryption) and it's seem to solve the problem for newly install laptop. I will test more when I have new Laptop.


Sorry but I can't enable User authentication on the network for production reason


thanks


Actions

This Discussion