Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
4
Replies

dot1x problem

krowland123
Level 1
Level 1

‎09-09-2008 12:53 PM - edited ‎03-09-2019 09:26 PM

I have a proof of concept built for a client using wired 802.1x. We are using EAP-TLS with the MS Supplicant on XP SP2.

Everything seems to work, with exception to unplugging the client and then replugging it back into the same port, which does not seem to re-initiate the EAPOL process. It is almost like I am missing one little piece, I am just having trouble putting my finger on what the piece might be. If anyone has any suggestions it would be appreciated.

Labels:
0 Helpful
4 Replies 4

smalkeric
Level 6
Level 6

‎09-16-2008 10:28 AM

Ensure that the client is getting authenticated by the authentication server because until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the client is connected.

The following URL may help you:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dot1x.html#wp1053096

0 Helpful

krowland123
Level 1
Level 1
In response to smalkeric

‎09-16-2008 10:33 AM

Actually, it was a problem with the user cert. Once a profile was loaded on the box, and authentication had to happen again after unplugging the cable and then plugging it back in, the user cert. was requested for authentication and we did not have a user cert on the box. I actually switched the authmode reg setting to a value of 2 and everything worked. Right now we are looking at doing machine only auth, do you or anyone else know of any caveats to look out for when doing 802.1x with EAP-TLS machine only auth, either in the cisco world or the microsoft world?

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to krowland123

‎09-16-2008 12:19 PM

This should be OK. Enable EAPOL-Starts to be transmitted as well. This is the SupplicantMode registry setting in the same container. Give it a value of 3.

0 Helpful

krowland123
Level 1
Level 1
In response to jafrazie

‎09-16-2008 01:02 PM

I am confused, we have this working just fine at the moment with the supplicantmode registry value at 2(the default for wired connections).

I guess as long as the authmode is set to 2, it doesn't matter if the supplicant mode is set to 3.....before, with authmode set to 1 and suppmode set to 3 and no user cert on the pc, it would fail because the suppmode made it try to use both the user and pc cert.

What would be the downfall of leaving the suppmode set to 2, instead of 3?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents