EAP-TLS with windows machine

Unanswered Question
Oct 19th, 2009

I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.

I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).

Just list of RDS.log appears some activity ended with

NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted

If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.

Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?

Please let attentions to Attachments and let me know

what could be a problem of my unsuccessness of use EAP-TLS.

configuration of interface which I use for testing:

interface GigabitEthernet0/42

description Test 802.1X klient - Filip

switchport access vlan 34

switchport mode access

switchport voice vlan 31

authentication host-mode multi-domain

authentication open

authentication port-control auto

authentication periodic

authentication violation protect

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Filip POHRONSKY Wed, 10/21/2009 - 03:26

How I see my problem looks harder, than I had expected.

How could I obrtain a service for this kind of problem? Is there any possibility to contact Cisco Support directly?

Jatin Katyal Wed, 10/21/2009 - 04:05

Hi Filip,

Just noticed your post...

In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.

Microsoft has done some changes in SP 3 for wired 802.1x

Changes to the 802.1X-based wired network connection settings in Windows XP

Service Pack 3

http://support.microsoft.com/kb/949984/

In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:

* The WZCSVC service

* The Wired AutoConfig service (DOT3SVC)

As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service

If you are an end-user who has already installed Windows XP SP3, follow

these steps:

1. Click Start, and then click Run.

2. In the Open box, type services.msc, and then press ENTER.

3. Locate the Wired AutoConfig service, right-click it, and then click

Start

Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...

CERTIFICATE REQUIREMENT IN EAP-TLS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121

ACS CONFIGURATION:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247

MICROSOFT XP CLIENT CONFIGURATION:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392

As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.

Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.

Also, let me know the full ACS version and platform.

HTH

JK

Do rate helpful posts-

Filip POHRONSKY Tue, 10/27/2009 - 08:38

Thank you for response. I check everything in configuration as you recomanded.

I need to use only EAP-TLS, that is why EAP_TYPE not configured appears when I turn it on Windows XP machine.

At these times I will try to use Windows XP SP2. I have had only SP3 at these times.

I found may be a critical error:

AUTH 27/10/2009 16:22:45 I 2849 5576 0x0 Start UDB_UPDATE_LOCALHOST, client 27 (127.0.0.1)

AUTH 27/10/2009 16:22:45 I 5591 5576 0x0 Done UDB_UPDATE_LOCALHOST, client 27, status UDB_HOST_DB_FAILURE

That could be a reason why machine authentication do not work?

I use CiscoSecure ACS Release 4.2(0) Build 124 Patch 12 running on Windows 2008 Server with DC and CA on the same machine.

Filip POHRONSKY Thu, 10/29/2009 - 06:47

I try switch to PEAP with MSCHAPv2 auth and its work fine, and machine was authenticated and dynamic user was created.

I check certificates by docs you provide me.

When I was switch to PEAP with EAP-TLS certificate authorisation, everty fall down to unauthorised.

I attach a auth.log file, and please look at, may be you will see an error.

I think problem is somewhere around

AUTH 29/10/2009 14:21:06 I 1165 3992 0x25 [AuthenProcessResponse]:[eapAuthenticate] returned -2046

AUTH 29/10/2009 14:21:06 I 1212 3992 0x25 EAP: <-- EAP Request/EAP-Type=PEAP (identifier=73, seq_id=10)

AUTH 29/10/2009 14:21:06 I 5591 3992 0x25 Done UDB_SEND_RESPONSE, client 50, status UDB_CHALLENGE_REQUIRED

everytime the authentization stops here (challenge required).

Filip POHRONSKY Sun, 11/01/2009 - 04:26

Problem is resolved. PLEASE RATE THIS ITEM, AND SIGN IT AS RESOLVED.

After many days of waiting for help and working on solution.

Platform Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(52)SE

Solution was at set of jumbo frames to smaller size (was 9000):

System MTU size is 1500 bytes

System Jumbo MTU size is 1518 bytes

Routing MTU size is 1500 bytes.

Actions

This Discussion