Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS Don't Works with machine Authentication with WinXP SP3

I have cinfugured 802.1X with the following componentes

- Windows Server 2003 AD with enterprise CA

- Cisco Secure ACS 4.2 like Server AAA, Setup to use EAP-TLS authentication with Machine Authentication.

- Win XP SP3

I tried to authenticate the machine with Win XP SP3 using EAP-TLS but  sometimes the ACS Server doesn't receive the request and other times the authentication fail.

I need implement EAP-TLS to force to use it certificates but the client uses only Windows XP SP3.

What is the problem to use EAP-TLS with Win XP SP3?. I used Windows and it works almost fine but there is one problem: the user is asigned to the default group and not to the group mapped..

5 REPLIES

Re: EAP-TLS Don't Works with machine Authentication with WinXP S

Did you verify the machines are getting the certificate in the MMC snap in?  If so, I know there was a registry edit we had to do for machine based authentication using certificates.  It was a pain on XP boxes until we figured it out, but works out of the box on Windows 7 boxes.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
New Member

Re: EAP-TLS Don't Works with machine Authentication with WinXP S

You have to modify your LAN-Profile to do a computer-only authentication:

http://support.microsoft.com/kb/929847

New Member

Re: EAP-TLS Don't Works with machine Authentication with WinXP S

Hi michaelillgen, I have do the changes to force to  only machine authentication like microsoft support http://support.microsoft.com/kb/929847 before open this discussion but the issue is the same. I did that to wired nad wireless profile but it does not work.

Cisco Employee

Re: EAP-TLS Don't Works with machine Authentication with WinXP S

Hi!

Check that you have "dot1x pae authenticator" command configured on switch port.

Details on the command is here: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_d2.html#wp1034077

Cheers, Iron

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Cisco Employee

Re: EAP-TLS Don't Works with machine Authentication with WinXP S

Are you trying to authenticate machine on boot, or when user is logging ? Sometimes the XP box is booting, but the time the user logs in, the auth timer has expired and the link is unauthorized, and windows XP isn't sending EAPoL so there's no authentication and the link stays down.

Try to debug dot1x on your switch/controller to see what's happening, and try to set supplicantMode to 3 in registry as described here:

http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx

2562
Views
0
Helpful
5
Replies