Need help troubleshooting Machine Authentication...

tmoffett · ‎10-22-2007

Greetings-

I am having an issue with getting machine authentication to work.

I have:

Windows Server 2003 with AD, certificate services, and IAS installed.

Windows XP client - SP2 with WPA MS fixes. Installed machine cert from CA.

4400 controller with 4.1x code. RADIUS is configured correctly.

When I use PEAP, the client associates.

When I select "use machine account..." option I don't see anything happen on the client or server that would indicate that machine authentication was attempting.

Any ideas where to start? Could this be an issue with certificates on the client?

Thanks!

Scott Fella · ‎10-22-2007

Read over this and see if this helps you.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

-Scott
*** Please rate helpful posts ***

csthorne · ‎11-09-2007

I'd check out TechRepublic's ultimate guide to enterprise wireless LAN security. It has a very good section on using self signed certs for machine authentication in a windows environment. I'm assuming you are wanting to do that so you won't have to use cached credentials.

http://i.t.com.com/i/tr/downloads/home/gou_secure-wireless-guide.pdf

tmoffett · ‎11-11-2007

Thanks, I had seen that doc...

I was using machine certs to authenticate. My problem turned out to be the fact that it is required that one adds two registry entries to make the computer authenticate as required. Below are the dword entries. They change the behavior of the supplicant. One tells the system to do Machine auth. Without it (on XP sp2), the client will never try to authenticate prior to user logon. The other controls the authentication behavior upon user logon. By default, the client wants to do PEAP once a user logs on.

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode (

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode