Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
1
Replies

user auth fails using 802.1x (EAP-TLS)

andrewjacobs
Level 1
Level 1

‎06-21-2006 12:39 PM - edited ‎03-10-2019 02:38 PM

I'm currently testing 802.1x machine and user authentication using EAP-TLS. Right now I'm testing them separately, and machine auth works great, but user auth doesn't.

Here's what I'm using:

Smart Cards ->

Built-in Microsoft XP supplicant ->

Catalyst 4006 Switch ->

Cisco Secure ACS 3.3 ->

Microsoft Active Directory

After I log in using the smart card, an EAPOL message from the computer is sent to the switch, and the switch replies asking for the computer to identify itself, but the computer does nothing. The switch continues asking and finally gives up because of no response. The ACS server logs no traffic from the supplicant.

Is this a supplicant issue? Using PEAP MSCHAPv2 with secured passwords works fine, but not with certificates.

Labels:
0 Helpful
1 Reply 1

andrewjacobs
Level 1
Level 1

‎07-28-2006 11:14 AM

I found my answer. The problem was with the Microsoft supplicant. It wasn't prompting me to type in the PIN to unlock the smart card, so it couldn't read the certificate and thus the EAP process was timing out.

In order for the Windows supplicant to prompt the user for the smart card PIN, the "Show icon in notification area when connected" checkbox in the Local Area Connection properties windows must be checked. They may want to think about renaming that box... :-)

0 Helpful
Customers Also Viewed These Support Documents