Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2698
Views
0
Helpful
5
Replies

eap-tls wired 802.1x - certificate issue?

redray8
Level 1
Level 1

‎12-08-2006 10:20 AM - edited ‎03-10-2019 02:52 PM

I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.

If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.

Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.

This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate

Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

Labels:
0 Helpful
5 Replies 5

Steve Chapman
Level 1
Level 1

‎12-08-2006 02:04 PM

I have the same problem on the wireless side. I get the Windows was unable to find a certificate to log you on to the network [SSID}. I also don't get anything on the ACS server. I am using MS wireless. If I use the Intel PRO I cna get it to work fine. Any help would be great.

0 Helpful

fkatsumi1
Level 1
Level 1

‎12-14-2006 09:28 AM

I have basically the exact same issue here. I'm using Microsoft Enterprise CA and IAS to authenticate wired users with machine certificates. Certificates are auto enrolled by group policy.

I think there are two issues here. When the user turns the machine on and gets a logon screen the dot1x port is still trying to authenticate.

If the user logs on before the machine is authorized Windows will not submit the computer certificate. If the user waits a while to logon then the port authorizes and the machine is allowed on the network. At this point the user can logon and have no problem.

These wired users do not have user certificate in their machine.

The problem is that Windows will not use computer certificate once the user has logged on.

I'm sorry I don't have any workaround but when I do I will post here.

0 Helpful

redray8
Level 1
Level 1
In response to fkatsumi1

‎12-15-2006 07:02 AM

It seems that when a user is logged in, Windows does not even look for a machine certificate.. however after speaking with tech support they told me to configure computer-only authentication for wired clients you have to change this registry setting:

HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2

If it is not in there, it is a type DWORD, and may require a restart for the changes to be registered with the 802.1x stack. I had to teardown my lab, but I will test this again next week, but I was wondering if this helps you guys out at all.

ray

0 Helpful

Steve Chapman
Level 1
Level 1
In response to redray8

‎12-15-2006 08:22 AM

We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.

The information about the correct settings can be found in this Microsoft document:

http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true

The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.

This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.

I am doing this wirelessly and using as long as you are using a WDS the following will be the result.

Roaming AP to AP I only lost 1 packet.

Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)

Shutting the wireless off and back on I only lost 8 packets.

I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

0 Helpful

fkatsumi1
Level 1
Level 1
In response to redray8

‎12-15-2006 01:42 PM

I was also looking at the this kb

http://support.microsoft.com/kb/309448

Just tested on one client with this same registry key set to 0 (prior to SP1) and it seems to do the trick. I haven't tried 2 as this is a hard wired desktop.

Bad thing is that this is a registry setting that needs to be placed in every wired machine. Current Group Policy is really geared for wireless interface and you need to setup SSID profile in order to change this registry key.

I guess I'll have to write a script and run it as a logon script.

fred

0 Helpful
Customers Also Viewed These Support Documents