Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member



I have the 802.1x authentication using Cisco ACS using XP/2000 clients scenario. What I read in Cisco docs says that with Cisco Secure ACS 3.1, it cannot be integrated with Active directory for EAP-MD5. Since Microsoft has their own CHAP thing. This may be supported in the next version.

I haven't tried this with MS IAS in the radius front. I think youhave done this. Please answer me the following queries.

1) Can i get authenticated for 802.1x client in windows 2000 /Xp before i getting windows login window or with the windows login window.

2) With Cisco ACS I have to login to my cache first. When i login into my cache windows profile since my port is not open my login script wont work , any other way to get this thing done

3) Will i get all my domain security policy once i am logged in withn cache profile

4) After getting autheciation by 802.1x client will i get IP address form my DHCP server.

5) what difference it makes when I change radius authentication to MS IAS.

Please help me. Waiting for your response

lalit / gopa


Re: 802.1x/win2k/xp/acs/2950

Hi Lalit,

I will address your questions with the best of my ability as I haven't personally triesd this out.

1) AFAIK, this is not possible. Its the Microsoft 2000/XP client so I guess consulting with Microsoft may guide to the right direction. I think it can be an enhancement request to Microsoft but, please consult with their support first.

2) No, again, if Microsoft XP/2000 has capability to integrate the 802.1x client authentication with the machine login transparently, then only its possible. Again, consulting with Microsoft will guide to the right direction.

3) Yes, you should

4) Yes

5) Will not make any difference, as that piece comes later.

Regarding chap and ms-chap issue with NT/2K domain, one thing for sure is with microsoft domain controller, its not possible at all to use anything other than MS-CHAP. ACS cannot control that behavior. Now, its the client responsibility to decide to use CHAP or MS-CHAP, so I think it makes sense to have this option on XP. Again, talking to Microsoft will lead to the right direction. Could be an enhancement request for Microsoft. So, please consult with Microsoft support. Thanks,




CreatePlease to create content