cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
573
Views
8
Helpful
7
Replies

Windows XP issue using ACS for MAC Authentication

travis-dennis_2
Level 7
Level 7

Hello all,

I am using ACS 4.1 for MAC based authentication as to whether or not to allow a device on the network. It is working fine for most devies but for some of the Windows XP computers I have to disable IEEE authentication on the NIC and create a registry key "SupplicantMode" with a value of "0". Does anyone know a way around having to do this on XP computers? If I don't does this I get a message saying "Windows was unable to find a certificate to log you on to the network" and the XP machines do not get authenticated.

All replies rated!!

7 Replies 7

jafrazie
Cisco Employee
Cisco Employee

IF you plan to use MAC Authentication, this means you do not need/want 802.1X. This makes the registry setting irrelevant.

So if your question is there a way to avoid the registry setting, or a way to avoid having to disable 802.1X?

Thanks,

Thanks for the reply. The ultimate solution would be to get the XP machines to authenticate based on MAC and not have to change anything on the XP machines themselves. I want to avoid the registry edit. I have tested with unchecking the IEEE authentication on the properties of te NIC card. I have yet to get this to work without then having to add the registry key for SupplicantMode

Thanks

When you disable 802.1X, this is disables the functionality on the client, so the registry setting is irrelevant at that point.

This will help:

<http://www.microsoft.com/technet/network/wifi/wififaq.mspx>

Can I ask why you need/want to disable/ignore 1X in favor of MAC Authentication?

This is occuring on the wired side not the wireless ans so far when we have diabled 802.1x on the NIC cards some computers still don't pass traffic until we do the registry edit and other others work as soon as it is disabled. No apparent rhyme or reason that we can see.

The goal was to restrict wired network access to only devices that are in the ACS database so that no one could plug an unathorized device into the network and pass traffic. We are regulating ALL network devices and most of them are not capable of doing 802.1x. Scanner guns, wireless timesclocks and the like. If there is a better way to go that gets this result please feel free to share the love! :)

Thanks again!

You should be able to leverage 802.1X authentication for devices that support it, and MAC Authentication for devices that do not. Checking a MAC address is obviously a lesser form of authentication, so is there a reason you need to work toward only checking MACs? Is it motivated by MAC addresses being a least common denominator?

802.1x is fine. I was not aware I could leverage both. Have a link for me?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: