802.1x Machine Based Authentication - Password expired

Unanswered Question
Dec 30th, 2008

Hi,

I would like to ask 1 question about machine based authentication on 802.1x.

1.We are deploying 802.1x on wired user.

2.Some user are using machine based authentication in order to authenticate their port.

3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan

4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.

5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.

5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.

Anybody can shed a light to me. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jafrazie Fri, 01/02/2009 - 13:06

What version of ACS is giving you this error?

Also, can you make sure it's a failing user-auth session here and not a failing machine-auth session?

muhammadsafwan Sun, 01/04/2009 - 20:53

I'm using version 4.2.

How to make sure that it's user-auth session?

It's because, once the user login to the PC, she is assigned to the proper Vlan. But before login, the PC is assigned to Guest VLAN. This is due, the machine will try to authenticate using the machine ID 1st.

jafrazie Mon, 01/05/2009 - 06:50

This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?

This also might help:

http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

muhammadsafwan Mon, 01/05/2009 - 08:14

Yes, it's machine authentication.

It never been away from the domain. It just the user need to change her password due to expiry.

Before her password expired, no problem occurs. It seems to me that the machine is trying to authenticate with the old password.

Actions

This Discussion