I am trying to implement Cisco's AuthFail VLAN functionality on a Catalyst 3560. It works fine with PEAP but does not work with SmartCard/Certificate (EAP-TLS) as the 802.1x protocol.
Please note that in my scenario I expect the authentication to fail and such users to be automatically moved to the AuthFail VLAN by the switch.
I have noticed that with Smartcard/certifcate is selected as the EAP type in XP, the supplicant only initiates 802.1x process locally on the machine but does not send anything to the switch. I dont have any certificates on the machine, neither user nor machine. The process always initiates when the cable is connected to a protected port but then dies with the message like "Windows is unable to find a certificate to log you on to the network". There is no failure log on the ACS, hence the request is not even being forwarded to ACS so I guess the switch is not receiving it from the XP client.
Only if I select the check box "Authenticate as guest when user or computer information is unavailable" that I get failure messages on ACS and the port is moved to AuthFail vlan after configured attempts.
Does anybody know if there is a fix or patch for this XP behaviour? The reason it is important is that in XP smartcard/certifcate login is set by default if 802.1x is enabled. Hence any visitor or guest with 802.1x turned on, will by default have this setting.