802.1x Authentication problems

Answered Question
Mar 14th, 2009

I configured dot1x port authentication on the switched network using an cisco ACS SE and on the computers (windows XP/SP2) PEAP and EAP-MSCHAPV2, everything works ok while the user have got already loaded his credentials on the PC, but if somebody tries to log in on the pc as a new user the authentication process fails, so i have to force the authentication process to gain access to network after that i reverse the authentication proccess to auto and the user log off and then the authentication process works again.

what am i missing??

Please some help...

I have this problem too.
0 votes
Correct Answer by Jagdeep Gambhir about 7 years 8 months ago

What we are seeing here is the known behavior of dot1x authentication. To bypass this issue we would need to set up machine authentication along with user auth. Here is the 802.1x Process that explains the behavior that we were experiencing with the cached credentials,

When machine authentication is enabled, the authentications occur in this order:

When starting a computer,

* Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.

* User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.

* You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user login) you need to make sure to have user credential cashing on the workstation. In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up

the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.

Regards,

~JG

Do rate helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jagdeep Gambhir Mon, 03/16/2009 - 13:39

What we are seeing here is the known behavior of dot1x authentication. To bypass this issue we would need to set up machine authentication along with user auth. Here is the 802.1x Process that explains the behavior that we were experiencing with the cached credentials,

When machine authentication is enabled, the authentications occur in this order:

When starting a computer,

* Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.

* User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.

* You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user login) you need to make sure to have user credential cashing on the workstation. In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up

the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.

Regards,

~JG

Do rate helpful posts

Actions

This Discussion