Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

dot1x machine authentication failing

I have been having a random problem for a while now with machine authentication with dot1x.

Our switches are configured for dot1x vlan assignment (vlan11 for authenticated users, and vlan17 for guest or failed authentication). I get calls from users randomly who get assigned IP addresses from vlan17 when they should be getting addresses from 11.

ACS failed logs report "External DB user invalid or bad password" and Windows event logs on the domain controllers confirm this.

After a little research and a few TAC cases, automatic computer account password changes in AD seem to be the culprit. What I do not understand is why this happens on desktop machines who stay plugged into the network 24/7.

Is anyone else seeing this type of activity? Is there a way to enter user credentials as a backup if the machine authentication fails?

My current workaround is disabling dot1x on the port for a day or so which gives time for the passwords to resync, but this becomes a pain.

4 REPLIES
Silver

Re: dot1x machine authentication failing

This is an ACE problem with the passcode. During this time, the ACS Failed Attempts log shows either the message "External DB auth failed" or "External DB user invalid or bad password". You may try the bug ID CSCdz30103.

Community Member

Re: dot1x machine authentication failing

That bug ID doesn't include enough details to be of any help. It does mention that it was found with ACS version 3.1 and Windows 2k clients. We are running Windows XP clients and ACS version 4.1.

Cisco Employee

Re: dot1x machine authentication failing

Have you tried clearing dynamic users in ACS when this occurs?

If you are using the Microsoft native supplicant, there is a registry setting that's supposed to allow you to do user auth if machine auth fails.

Community Member

Re: dot1x machine authentication failing

I have tried clearing the dynamic users, but it didn't help. My next attempt will be to set the AuthMode registry key to 0 instead of 2 and see if that helps. With the problem being so random please post any more suggestions as it could be a while before the problem shows up again.

412
Views
0
Helpful
4
Replies
CreatePlease to create content