Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Seeing multiple-passed machine and user authentications???

I am interested if others are seeing multiple-passed machine and user authentications

Using 802.1x PEAP-MSCHAPv2 wireless authentication.

XP(SP3) - Getting dual-passed machine authentications, then dual-passed user authentications
Win7 - Getting triple-passed machine authentications, then triple-passed user authentications (sometimes just duals)

Seeing this behavior in two customer environments:

Customer 1
Mix of 2008/2003 DCs
CSACS-1121-K9  5-3-0-40-1
AIR-CT5508-K9 7.0.220.0

Customer 2
Mix of 2008/2003 DCs
CSACS-1121-K9  5-3-0-40-3 (also saw issue with patch 2)
AIR-CT5508-K9 7.2.103.0

                  

???

  • Security and Network Management
Everyone's tags (4)
3 REPLIES

Seeing multiple-passed machine and user authentications???

I have a similar envoirment. I just checked my logs and I am not seeing double or tripple authentications for devices or clients.

Although, I am not on 7.2 yet.

Did you do a wireless packet capture to see what is actually being sent from the client ? I wonder if your client is doing a preautntication to another ap in advance, But windoz does pmk cache, not pre autentication. So that wouldnt be it ..

Have your tried the free cisco  anyconnect 3.x, it has a wireless supplicant. Just for testing purposes, to see if it still acts the same way ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Seeing multiple-passed machine and user authentications???

Been working with TAC on this for several weeks. Looks like clients are sending EAPOL-START even after they have already authenticated. Right now we are having customer tweak an XP registry to suppress EAPOL-START messages, just to see how it reacts. Have not heard results yet.

I can't be the only one seeing this behavior, at two different sites... can I?

FYI... schedule about an extra 30-45+ minutes when you upgrade to 7.2 as there is a FUS upgrade that is also part of going to 7.2.  FUS updates low-level WLC components.  You've got to baby sit it, cause it prompts you for each upgrade to to each component.

Seeing multiple-passed machine and user authentications???

Have you tried a differernt supplicant rather then the XP and 7 itself?

Thanks for the heads up on 7.2.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
348
Views
0
Helpful
3
Replies
This widget could not be displayed.