I have been having a random problem for a while now with machine authentication with dot1x.
Our switches are configured for dot1x vlan assignment (vlan11 for authenticated users, and vlan17 for guest or failed authentication). I get calls from users randomly who get assigned IP addresses from vlan17 when they should be getting addresses from 11.
ACS failed logs report "External DB user invalid or bad password" and Windows event logs on the domain controllers confirm this.
After a little research and a few TAC cases, automatic computer account password changes in AD seem to be the culprit. What I do not understand is why this happens on desktop machines who stay plugged into the network 24/7.
Is anyone else seeing this type of activity? Is there a way to enter user credentials as a backup if the machine authentication fails?
My current workaround is disabling dot1x on the port for a day or so which gives time for the passwords to resync, but this becomes a pain.
This is an ACE problem with the passcode. During this time, the ACS Failed Attempts log shows either the message "External DB auth failed" or "External DB user invalid or bad password". You may try the bug ID CSCdz30103.
I have tried clearing the dynamic users, but it didn't help. My next attempt will be to set the AuthMode registry key to 0 instead of 2 and see if that helps. With the problem being so random please post any more suggestions as it could be a while before the problem shows up again.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...