Seeing multiple-passed machine and user authentications???

Unanswered Question

I am interested if others are seeing multiple-passed machine and user authentications


Using 802.1x PEAP-MSCHAPv2 wireless authentication.


XP(SP3) - Getting dual-passed machine authentications, then dual-passed user authentications
Win7 - Getting triple-passed machine authentications, then triple-passed user authentications (sometimes just duals)


Seeing this behavior in two customer environments:


Customer 1
Mix of 2008/2003 DCs
CSACS-1121-K9  5-3-0-40-1
AIR-CT5508-K9 7.0.220.0


Customer 2
Mix of 2008/2003 DCs
CSACS-1121-K9  5-3-0-40-3 (also saw issue with patch 2)
AIR-CT5508-K9 7.2.103.0

                  


???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
George Stefanick Fri, 04/27/2012 - 12:03
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

I have a similar envoirment. I just checked my logs and I am not seeing double or tripple authentications for devices or clients.


Although, I am not on 7.2 yet.


Did you do a wireless packet capture to see what is actually being sent from the client ? I wonder if your client is doing a preautntication to another ap in advance, But windoz does pmk cache, not pre autentication. So that wouldnt be it ..


Have your tried the free cisco  anyconnect 3.x, it has a wireless supplicant. Just for testing purposes, to see if it still acts the same way ?

Been working with TAC on this for several weeks. Looks like clients are sending EAPOL-START even after they have already authenticated. Right now we are having customer tweak an XP registry to suppress EAPOL-START messages, just to see how it reacts. Have not heard results yet.


I can't be the only one seeing this behavior, at two different sites... can I?


FYI... schedule about an extra 30-45+ minutes when you upgrade to 7.2 as there is a FUS upgrade that is also part of going to 7.2.  FUS updates low-level WLC components.  You've got to baby sit it, cause it prompts you for each upgrade to to each component.

George Stefanick Fri, 04/27/2012 - 13:45
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Have you tried a differernt supplicant rather then the XP and 7 itself?


Thanks for the heads up on 7.2.

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network