Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

802.1x Machine Based Authentication - Password expired

Hi,

I would like to ask 1 question about machine based authentication on 802.1x.

1.We are deploying 802.1x on wired user.

2.Some user are using machine based authentication in order to authenticate their port.

3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan

4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.

5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.

5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.

Anybody can shed a light to me. Thanks.

4 REPLIES
Cisco Employee

Re: 802.1x Machine Based Authentication - Password expired

What version of ACS is giving you this error?

Also, can you make sure it's a failing user-auth session here and not a failing machine-auth session?

New Member

Re: 802.1x Machine Based Authentication - Password expired

I'm using version 4.2.

How to make sure that it's user-auth session?

It's because, once the user login to the PC, she is assigned to the proper Vlan. But before login, the PC is assigned to Guest VLAN. This is due, the machine will try to authenticate using the machine ID 1st.

Cisco Employee

Re: 802.1x Machine Based Authentication - Password expired

This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?

This also might help:

http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

New Member

Re: 802.1x Machine Based Authentication - Password expired

Yes, it's machine authentication.

It never been away from the domain. It just the user need to change her password due to expiry.

Before her password expired, no problem occurs. It seems to me that the machine is trying to authenticate with the old password.

527
Views
0
Helpful
4
Replies
CreatePlease to create content