Windows XP issue using ACS for MAC Authentication

Unanswered Question
Feb 7th, 2008
User Badges:
  • Gold, 750 points or more

Hello all,


I am using ACS 4.1 for MAC based authentication as to whether or not to allow a device on the network. It is working fine for most devies but for some of the Windows XP computers I have to disable IEEE authentication on the NIC and create a registry key "SupplicantMode" with a value of "0". Does anyone know a way around having to do this on XP computers? If I don't does this I get a message saying "Windows was unable to find a certificate to log you on to the network" and the XP machines do not get authenticated.


All replies rated!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
jafrazie Thu, 02/07/2008 - 14:56
User Badges:
  • Cisco Employee,

IF you plan to use MAC Authentication, this means you do not need/want 802.1X. This makes the registry setting irrelevant.


So if your question is there a way to avoid the registry setting, or a way to avoid having to disable 802.1X?


Thanks,



travis-dennis_2 Thu, 02/07/2008 - 17:55
User Badges:
  • Gold, 750 points or more

Thanks for the reply. The ultimate solution would be to get the XP machines to authenticate based on MAC and not have to change anything on the XP machines themselves. I want to avoid the registry edit. I have tested with unchecking the IEEE authentication on the properties of te NIC card. I have yet to get this to work without then having to add the registry key for SupplicantMode


Thanks

travis-dennis_2 Fri, 02/08/2008 - 07:15
User Badges:
  • Gold, 750 points or more

This is occuring on the wired side not the wireless ans so far when we have diabled 802.1x on the NIC cards some computers still don't pass traffic until we do the registry edit and other others work as soon as it is disabled. No apparent rhyme or reason that we can see.



The goal was to restrict wired network access to only devices that are in the ACS database so that no one could plug an unathorized device into the network and pass traffic. We are regulating ALL network devices and most of them are not capable of doing 802.1x. Scanner guns, wireless timesclocks and the like. If there is a better way to go that gets this result please feel free to share the love! :)



Thanks again!

jafrazie Fri, 02/08/2008 - 07:46
User Badges:
  • Cisco Employee,

You should be able to leverage 802.1X authentication for devices that support it, and MAC Authentication for devices that do not. Checking a MAC address is obviously a lesser form of authentication, so is there a reason you need to work toward only checking MACs? Is it motivated by MAC addresses being a least common denominator?

travis-dennis_2 Fri, 02/08/2008 - 08:33
User Badges:
  • Gold, 750 points or more

802.1x is fine. I was not aware I could leverage both. Have a link for me?

Actions

This Discussion