EAP-TLS Don't Works with machine Authentication with WinXP SP3

Unanswered Question
Aug 11th, 2010
User Badges:

I have cinfugured 802.1X with the following componentes

- Windows Server 2003 AD with enterprise CA

- Cisco Secure ACS 4.2 like Server AAA, Setup to use EAP-TLS authentication with Machine Authentication.

- Win XP SP3

I tried to authenticate the machine with Win XP SP3 using EAP-TLS but  sometimes the ACS Server doesn't receive the request and other times the authentication fail.

I need implement EAP-TLS to force to use it certificates but the client uses only Windows XP SP3.

What is the problem to use EAP-TLS with Win XP SP3?. I used Windows and it works almost fine but there is one problem: the user is asigned to the default group and not to the group mapped..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Christopher Bell Tue, 08/17/2010 - 05:29
User Badges:
  • Bronze, 100 points or more

Did you verify the machines are getting the certificate in the MMC snap in?  If so, I know there was a registry edit we had to do for machine based authentication using certificates.  It was a pain on XP boxes until we figured it out, but works out of the box on Windows 7 boxes.

iilyinas Wed, 10/27/2010 - 03:06
User Badges:
  • Cisco Employee,


Check that you have "dot1x pae authenticator" command configured on switch port.

Details on the command is here: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_d2.html#wp1034077

Cheers, Iron


If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Bastien Migette Wed, 10/27/2010 - 06:44
User Badges:
  • Cisco Employee,

Are you trying to authenticate machine on boot, or when user is logging ? Sometimes the XP box is booting, but the time the user logs in, the auth timer has expired and the link is unauthorized, and windows XP isn't sending EAPoL so there's no authentication and the link stays down.

Try to debug dot1x on your switch/controller to see what's happening, and try to set supplicantMode to 3 in registry as described here:



This Discussion