I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?
I have the same problem on the wireless side. I get the Windows was unable to find a certificate to log you on to the network [SSID}. I also don't get anything on the ACS server. I am using MS wireless. If I use the Intel PRO I cna get it to work fine. Any help would be great.
I have basically the exact same issue here. I'm using Microsoft Enterprise CA and IAS to authenticate wired users with machine certificates. Certificates are auto enrolled by group policy.
I think there are two issues here. When the user turns the machine on and gets a logon screen the dot1x port is still trying to authenticate.
If the user logs on before the machine is authorized Windows will not submit the computer certificate. If the user waits a while to logon then the port authorizes and the machine is allowed on the network. At this point the user can logon and have no problem.
These wired users do not have user certificate in their machine.
The problem is that Windows will not use computer certificate once the user has logged on.
I'm sorry I don't have any workaround but when I do I will post here.
It seems that when a user is logged in, Windows does not even look for a machine certificate.. however after speaking with tech support they told me to configure computer-only authentication for wired clients you have to change this registry setting:
If it is not in there, it is a type DWORD, and may require a restart for the changes to be registered with the 802.1x stack. I had to teardown my lab, but I will test this again next week, but I was wondering if this helps you guys out at all.
The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
Roaming AP to AP I only lost 1 packet.
Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
Shutting the wireless off and back on I only lost 8 packets.
I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.
Just tested on one client with this same registry key set to 0 (prior to SP1) and it seems to do the trick. I haven't tried 2 as this is a hard wired desktop.
Bad thing is that this is a registry setting that needs to be placed in every wired machine. Current Group Policy is really geared for wireless interface and you need to setup SSID profile in order to change this registry key.
I guess I'll have to write a script and run it as a logon script.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...