ACS 4.2 certificate based authentication and Windows 7

Freerk Terpstra · ‎01-10-2012

Hi!

First some background information. We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good.

Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot helps to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS:

01/10/2012 11:08:11 Authen failed host/$hostname.$domain.$extension .. .. (Unknown) Authen session timed out: Challenge not provided by client

01/10/2012 11:07:47 Authen failed host/$hostname.$domain.$extension .. .. (Unknown) Authen session timed out: Challenge not provided by client

01/10/2012 11:07:29 Authen failed host/$hostname.$domain.$extension .. .. (Unknown) Authen session timed out: Challenge not provided by client

Windows is just saying that it is trying to authenticate, nothing more. The switch configuration is as follow:

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

dot1x system-auth-control

!

interface FastEthernet0/1

switchport access vlan 101

switchport mode access

switchport voice vlan 50

no logging event link-status

srr-queue bandwidth share 10 10 60 20

priority-queue out

authentication control-direction in

authentication event no-response action authorize vlan 100

authentication host-mode multi-domain

authentication port-control auto

authentication periodic

mab

mls qos trust cos

no snmp trap link-status

auto qos voip trust

dot1x pae authenticator

dot1x timeout tx-period 15

spanning-tree portfast

spanning-tree bpduguard enable

!

radius-server dead-criteria time 3 tries 1

radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key 7 notarealkey

radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key 7 notarealkey

radius-server retry method reorder

radius-server deadtime 10

We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55). Do you have any idea what might go wrong? If more information is needed, let me know! I'm looking forward to your response..

Kinds regards,

Freerk

camejia · ‎01-10-2012

Hello Freerk,

The ACS > System configuration > Global Authentication Setup > EAP-TLS > includes a session timeout value: 120 minutes.

Does the issue occur after 2 hours the machine has authenticated for the first time during the day? In that case you might want to increase the timeout for the EAP-TLS session.

Windows native supplicants will perform machine authentication during PC bootup only. If the EAP-TLS session timeout expires then the ACS will send a "Challenge" to the client in order to "reauthenticate" it again. At this point the Windows 7 supplicant might not be able to provide the appropriate credentials for the ACS to validate, therefore, the ACS might report the "Authen session timed out: Challenge not provided by client".

The above error is most likely related to a client issue as the ACS is asking for something the supplicant cannot provide at that point.

You might want to check if increasing the EAP-TLS Session timeout helps you on this specific issue.

NOTE: You might want to check as well with MS Support if there was a change on how the Windows XP and Windows 7 supplicant behaves when getting a challenge for machine credentials and the computer had already booted up.

Hope this helps.

Regards.

Freerk Terpstra · ‎01-10-2012

Thanks for the quick reply, I will look into it . Sometimes it goes good for weeks, sometimes it occurs twice a day. There isn't something like a pattern sadly. However, if it happens, a few clients gets deauthenticated at the same time (it looks like every Windows 7 client with certificate based authentication).

spm_saj_cisco · ‎03-07-2012

Hi, Is this resolved yet? we are having the same issue. Windows 7 users are having intermittent problem in 4.2. EAP-TLS is not enabled for us. Therefore the 120 minutes may not be applicable. We do certificate based authentication which by default seem to work on XP users without any issue. But windows 7 users - many of them error out, and verry few can get it working.

And here is the interesting part - we have an old unsupported 3.3 server. That seem to work fine for windows 7 users. Only 4.2 is having the problem.

amin.amor · ‎06-19-2012

Hi,

Do you have resolution to this issue?

I have the same problem. The Authentication works fine the first time when the PC connect to the network but when I disconnect the LAN cable and reconnect, the traffic capture shows a request from the switch but no reply from Windows7.

The difference between XP and windows 7 is that the SSL.handshake.sessionId is the same for windows 7 (when I disconnect and connect to the LAN) but for Windows XP the sessionid is not the same after each disconnect and connect.

This isssue only happened with Windows 7 and ACS 4.2.

Windows 7 ACS 5 is good.

XP with ACS 4.2 is good.

Your network partner in Luxembourg
http://www.itnet.lu