dot1x machine authentication failing

Unanswered Question
May 6th, 2009
User Badges:

I have been having a random problem for a while now with machine authentication with dot1x.

Our switches are configured for dot1x vlan assignment (vlan11 for authenticated users, and vlan17 for guest or failed authentication). I get calls from users randomly who get assigned IP addresses from vlan17 when they should be getting addresses from 11.

ACS failed logs report "External DB user invalid or bad password" and Windows event logs on the domain controllers confirm this.

After a little research and a few TAC cases, automatic computer account password changes in AD seem to be the culprit. What I do not understand is why this happens on desktop machines who stay plugged into the network 24/7.

Is anyone else seeing this type of activity? Is there a way to enter user credentials as a backup if the machine authentication fails?

My current workaround is disabling dot1x on the port for a day or so which gives time for the passwords to resync, but this becomes a pain.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
carenas123 Tue, 05/12/2009 - 03:45
User Badges:
  • Silver, 250 points or more

This is an ACE problem with the passcode. During this time, the ACS Failed Attempts log shows either the message "External DB auth failed" or "External DB user invalid or bad password". You may try the bug ID CSCdz30103.

ben.bass0 Tue, 05/12/2009 - 07:20
User Badges:

That bug ID doesn't include enough details to be of any help. It does mention that it was found with ACS version 3.1 and Windows 2k clients. We are running Windows XP clients and ACS version 4.1.

scadora Tue, 05/12/2009 - 09:01
User Badges:
  • Cisco Employee,

Have you tried clearing dynamic users in ACS when this occurs?

If you are using the Microsoft native supplicant, there is a registry setting that's supposed to allow you to do user auth if machine auth fails.

ben.bass0 Tue, 05/12/2009 - 09:15
User Badges:

I have tried clearing the dynamic users, but it didn't help. My next attempt will be to set the AuthMode registry key to 0 instead of 2 and see if that helps. With the problem being so random please post any more suggestions as it could be a while before the problem shows up again.


This Discussion