Win XP - 802.1x Supplicant Behaviour with SmarCard/Certificate

Unanswered Question
Sep 23rd, 2007

I am trying to implement Cisco's AuthFail VLAN functionality on a Catalyst 3560. It works fine with PEAP but does not work with SmartCard/Certificate (EAP-TLS) as the 802.1x protocol.

Please note that in my scenario I expect the authentication to fail and such users to be automatically moved to the AuthFail VLAN by the switch.

I have noticed that with Smartcard/certifcate is selected as the EAP type in XP, the supplicant only initiates 802.1x process locally on the machine but does not send anything to the switch. I dont have any certificates on the machine, neither user nor machine. The process always initiates when the cable is connected to a protected port but then dies with the message like "Windows is unable to find a certificate to log you on to the network". There is no failure log on the ACS, hence the request is not even being forwarded to ACS so I guess the switch is not receiving it from the XP client.

Only if I select the check box "Authenticate as guest when user or computer information is unavailable" that I get failure messages on ACS and the port is moved to AuthFail vlan after configured attempts.

Does anybody know if there is a fix or patch for this XP behaviour? The reason it is important is that in XP smartcard/certifcate login is set by default if 802.1x is enabled. Hence any visitor or guest with 802.1x turned on, will by default have this setting.

Thanks.

MAG.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hal.chaikin Thu, 11/01/2007 - 13:50

Clarification: You said you do not have any certificates "on the machine". But you do have a server certificate (capable of authenticating the certs on the smart card) installed on your ACS correct? Without one, there is no way for the EAP-TLS from the client to be authenticated.

Jagdeep Gambhir Thu, 11/01/2007 - 16:47

For EAP-TLS you need to have user cert and CA installed on each client.

Without these cert TLS is not going to initiate connection.

Regards,

~JG

ardica Mon, 11/05/2007 - 08:58

Hi,

the default behavior for Windows XP machine is the following:

- 802.X enabled

- EAP type is EAP-TLS

- No certificate is available (for user or machine)

- No EAPoL-Start messages are sent (a registry change is required for that).

If the goal is provide Guest Access in such scenario, the Auth-Fail VLAN won't help since the authentication attempts never fail (as you mentioned). This is because the Windows client can be considered "smart enough" in this case to avoid replying to the Identity-request messages sent by the switch once it realizes there are no valid certificates installed.

What I'd recommend in this scenario is then to leverage the 802.1X Guest VLAN feature, configuring it with the same value of the Auth-Fail VLAN. In that way, no matter if the autentication fails or it is not preformed (as in this case), the user will be deployed in the same VLAN anyway.

Hope this helps,

-Max

Actions

This Discussion