09-23-2007 08:02 PM - edited 03-10-2019 03:24 PM
I am trying to implement Cisco's AuthFail VLAN functionality on a Catalyst 3560. It works fine with PEAP but does not work with SmartCard/Certificate (EAP-TLS) as the 802.1x protocol.
Please note that in my scenario I expect the authentication to fail and such users to be automatically moved to the AuthFail VLAN by the switch.
I have noticed that with Smartcard/certifcate is selected as the EAP type in XP, the supplicant only initiates 802.1x process locally on the machine but does not send anything to the switch. I dont have any certificates on the machine, neither user nor machine. The process always initiates when the cable is connected to a protected port but then dies with the message like "Windows is unable to find a certificate to log you on to the network". There is no failure log on the ACS, hence the request is not even being forwarded to ACS so I guess the switch is not receiving it from the XP client.
Only if I select the check box "Authenticate as guest when user or computer information is unavailable" that I get failure messages on ACS and the port is moved to AuthFail vlan after configured attempts.
Does anybody know if there is a fix or patch for this XP behaviour? The reason it is important is that in XP smartcard/certifcate login is set by default if 802.1x is enabled. Hence any visitor or guest with 802.1x turned on, will by default have this setting.
Thanks.
MAG.
11-01-2007 01:50 PM
Clarification: You said you do not have any certificates "on the machine". But you do have a server certificate (capable of authenticating the certs on the smart card) installed on your ACS correct? Without one, there is no way for the EAP-TLS from the client to be authenticated.
11-01-2007 04:47 PM
For EAP-TLS you need to have user cert and CA installed on each client.
Without these cert TLS is not going to initiate connection.
Regards,
~JG
11-05-2007 08:58 AM
Hi,
the default behavior for Windows XP machine is the following:
- 802.X enabled
- EAP type is EAP-TLS
- No certificate is available (for user or machine)
- No EAPoL-Start messages are sent (a registry change is required for that).
If the goal is provide Guest Access in such scenario, the Auth-Fail VLAN won't help since the authentication attempts never fail (as you mentioned). This is because the Windows client can be considered "smart enough" in this case to avoid replying to the Identity-request messages sent by the switch once it realizes there are no valid certificates installed.
What I'd recommend in this scenario is then to leverage the 802.1X Guest VLAN feature, configuring it with the same value of the Auth-Fail VLAN. In that way, no matter if the autentication fails or it is not preformed (as in this case), the user will be deployed in the same VLAN anyway.
Hope this helps,
-Max
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide