Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Win 7 client with machine and user auth stuck in 802.1x_REQD

Hi everybody

we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:

- Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP

- On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)

- First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers

- When the user authenication happens, the client is moved into the productive client vlan with no restrictions.

Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:

Win7.png

In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).

We tried the following to find the problem spot. but we were not able to locate the problem:

- Configure the machine and user authentication into the same vlan all the time

- ONLY user authentication on the client

- Played with the Win 7 settings (timers, and so on)

- When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)

Did someone ever had the same issue?

Thanks a lot and best regards

Dominic

Everyone's tags (7)
5 REPLIES

Win 7 client with machine and user auth stuck in 802.1x_REQD

Dominic:
It is possibly something to do with the WLAN adapter's driver. so I suggest you upgrade to latest driver then give it a test.

is the issue happens with all clients? or some?

If some clients then are they all using same WLAN adapter's model/vendor?

It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.

- What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?

- what is the result when testing with user auth only?

- what ist he result when testing with machine auth only?

HTH

Amjad

You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you".

Rating useful replies is more useful than saying "Thank you"
New Member

Win 7 client with machine and user auth stuck in 802.1x_REQD

Hi Amjad

very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.

It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.

Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)

- What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?

WZC.

- what is the result when testing with user auth only?

The same, it takes such a long time.

- what ist he result when testing with machine auth only?

Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.

Regards and have a nice weekend

Dominic

Hall of Fame Super Silver

Re: Win 7 client with machine and user auth stuck in 802.1x_REQD

Dominic,

I have tested this configuration in my lab with no issues like what you are seeing. Even when you just use machine or user only, it should be pretty quick. Amjad is right on about the drivers, but my question is, if you just set the policy in ACS to PEAP using username and password, do you have issues also with tablets or iDevices? If you do, then there must be something else that is causing the issue. If you sniff the traffic, can you see request come to the radius server? Did you remove any pre auth acl's also on the wlc if you have any. I guess where I'm getting at is try setting it real basic and see if you can get it to work. The wlc debug aaa should also show some good info when the user is trying to associate.

These debugs are helpful for debugging RADIUS authentication, authorization, or accounting issues:

Debugs to Collect

debug client —Gives information on how reauth related attributes, such as session-timeout and action-type, are applied.

debug aaa events enable—Helps to troubleshoot how different AAA servers are used for authentication, accounting, and authorization.

debug aaa packet enable—Helps to troubleshoot what different AAA attributes are received and applied.

Captures to Take

A wired capture can be collected between the controller and RADIUS server if the above debugs do not indicate the issue.

Config and Show Output to Collect

Same as Client connection issue and also this:

show radius summary

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Win 7 client with machine and user auth stuck in 802.1x_REQD

Hi Scott

thanks for your feedback too, but we did not test with any other devices thant these 2 Win 7 clients - no other devices are joined to the Active Directory (AD) and that is a prerequisit to connect as a user ("was machine authenticated" on ACS 5). I know we could have deactivate that temporarly, but we did not yet ;-)

On the core we removed the quarantine ACL for testing, should not be the problem. On WLC, we do not have any ACLs.

I did a lot of debug client, debug aaa XXX, but we did not find the problem. The RADIUS server is receiving and sending packets, but the long timeout is already between WLC and client (-> EAP Identity Request <- EAP Identity Response).

Regards

Dominic

Hall of Fame Super Silver

Win 7 client with machine and user auth stuck in 802.1x_REQD

Well the one thing is that machine authentication will happen first, so the only time the user credentials will show up like in your log, is after the session timeouts.  You will not see both at the same time.... its just like a couple hours later, all you will see is the user authentication until the machine is rebooted.

-Scott
*** Please rate helpful posts ***
724
Views
10
Helpful
5
Replies
CreatePlease to create content