Pb 802.1X Computer authentication

s.berthier · ‎08-06-2007

Hello

I want to know if some GPO parameters can prevent computer authentication 802.1X ?

Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only

And certain PC works fine and other not

And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK

If you have a solution to prevent out/in PC in the domain ?

Thanks for your help

Jagdeep Gambhir · ‎08-06-2007

Hi,

I don't think so. What is the error you get on acs when computer fails authentication ?

s.berthier · ‎08-06-2007

Reply ACS :

06/08/2007 17:20:46 Authen failed host/gval1080.XXX.XX Laptop 00-16-D3-39-7D-85 (Default) External DB user invalid or bad password .. .. 50007 10.253.104.94 .. .. 25 MS-PEAP .. gvanet01 ..

Jagdeep Gambhir · ‎08-07-2007

I would also need logs from remote agent.

ACS appliance---->System Configuration --> Service Control --> Level of detail - Full At this point, we need to duplicate the issue.

Now collect logs from remote agent,

C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs

I need only cswinagent logs. I'm assuming acs is on 4.1.1 23 ?

We need to make sure that acs and remote agent are sitting on same code,

Lets cross check that , on RA computer go to dos and change prompt to

C:\Program Files\Cisco\CiscoSecure ACS Agent\bin

Type csagent.exe -v and press Enter

Regards,

~JG

s.berthier · ‎08-07-2007

Hello

When i do the command csagent -v the result is:

ACSRemoteAgent version 4.1(3.12)

and I have an Appliance ACS:

Cisco Secure ACS 4.1.3.12

Appliance Management Software 4.1.3.12

Appliance Base Image 4.1.1.4

CSA build 4.0.1.543.2 (Patch: 4_0_1_543)

and in the file cswinAgent i have this error

CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received

CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO

CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$

CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)

CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST

CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO

CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$

CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)

CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent

I don't know if this that you want

I have just change the domain name (DOMAIN-TEST) to confidential resaon

Thanks

Jagdeep Gambhir · ‎08-07-2007

Make sure that remote agent has proper permission assigned. ie act as a part of operating system and login as service/batch

Also on which operating system we have remote agent installed, please note that RA is not supported on win2003 SP2

Regards,

~JG

s.berthier · ‎08-07-2007

The CSAgent is installed on a Windows 2003 Server with SP2 and it's work fine because the most part of Computer account are correctly authenticate.

The link between ACS and AD is do by an another server where the agent is install

When you disconnect and reconnect a PC to the domain the authentication is OK and all work fine.

I think is not an ACS or Agent problem but an AD Problem with the Password integration but I m not sure

the persmission on the agent is set as you say

jafrazie · ‎08-07-2007

There are no GPO parameters that can stop 1X from working. If you disconnect/reconnect to the domain, this is probably refreshing something that's stale on AD. 802.1X is the victim here. Mind you, network access is not there, but this sounds like a supplicant problem.

From the log snippet, looks like the machine's password is aged out. And you mentioned you were doing machine-auth only.

For Active Directory by default, the machine password that the client receives from AD

expires every 30 days. When this happens - the machine can not get authenticated and there is no provision for the machine password to be regenerated over the EAP session between the client and Domain Controller. It's just broken and network access is denied.

There is a bug with regard to how NETLOGON interacts with MS-CHAP. The system simply fails to allow the expired machine password

to be regenerated as is the case with User Authentication. AFAIK, there's no fix for this .. even in Vista.

So for customers just trying to do MSFT Machine Authentication without

User Authentication as fallback - it's not really a workable solution unfortunately.

Hope this helps,

P.s. Can you try to enable user-auth to confirm this?

s.berthier · ‎08-07-2007

Thank you for your help

We doing an Machine authentication only because is work fine under Windows XP and don't prevent GPO application on the login or other thinks...

we work on this type of architecture under 3 workstations since few month without problems

we change a parameters on User Account that permit to prepare laptop ( parameter : Store password using reversible encryption) and it's seem to solve the problem for newly install laptop. I will test more when I have new Laptop.

Sorry but I can't enable User authentication on the network for production reason

thanks