dot1x problem

Unanswered Question
Sep 9th, 2008
User Badges:

I have a proof of concept built for a client using wired 802.1x. We are using EAP-TLS with the MS Supplicant on XP SP2.


Everything seems to work, with exception to unplugging the client and then replugging it back into the same port, which does not seem to re-initiate the EAPOL process. It is almost like I am missing one little piece, I am just having trouble putting my finger on what the piece might be. If anyone has any suggestions it would be appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Tue, 09/16/2008 - 10:28
User Badges:
  • Silver, 250 points or more

Ensure that the client is getting authenticated by the authentication server because until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected.


The following URL may help you:


http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1053096


krowland123 Tue, 09/16/2008 - 10:33
User Badges:

Actually, it was a problem with the user cert. Once a profile was loaded on the box, and authentication had to happen again after unplugging the cable and then plugging it back in, the user cert. was requested for authentication and we did not have a user cert on the box. I actually switched the authmode reg setting to a value of 2 and everything worked. Right now we are looking at doing machine only auth, do you or anyone else know of any caveats to look out for when doing 802.1x with EAP-TLS machine only auth, either in the cisco world or the microsoft world?

jafrazie Tue, 09/16/2008 - 12:19
User Badges:
  • Cisco Employee,

This should be OK. Enable EAPOL-Starts to be transmitted as well. This is the SupplicantMode registry setting in the same container. Give it a value of 3.

krowland123 Tue, 09/16/2008 - 13:02
User Badges:

I am confused, we have this working just fine at the moment with the supplicantmode registry value at 2(the default for wired connections).


I guess as long as the authmode is set to 2, it doesn't matter if the supplicant mode is set to 3.....before, with authmode set to 1 and suppmode set to 3 and no user cert on the pc, it would fail because the suppmode made it try to use both the user and pc cert.


What would be the downfall of leaving the suppmode set to 2, instead of 3?

Actions

This Discussion