06-21-2004 03:15 PM - edited 03-10-2019 01:43 PM
Has anyone experienced problems with the 802.1x client in windows 2000 sp4? I am running it with PEAP and the machine account is authenticating fine, but am having a problem with authenticating users and allocating their vlans.
The way its supposed to work is machine account authentication is supposed to be 1st until a user logs in. When the user logs in, an EAP-start frame is supposed to be sent to the switch, which then restarts the authentication process. But for some reason the win2k sp4 machine doesn't send the packet.
Am pulling my hair trying to see why its behaving this way.
In case your curious, this pc is connected to a cat 3750 and a cisco acs 3.2.3 server.
06-21-2004 03:28 PM
It is probably the default registry for the Microsoft supplicant.
See below for collateral and how to modify:
Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode -- REG_DWORD
0: Disable IEEE 802.1X operation.
1: Inhibit transmission of EAPOL-Start and EAPOL-Logoff packets under all scenarios.
2: Include learning to determine when to initiate the transmission of EAPOL packets.
3: Compliant with IEEE 802.1X Specification.
If this parameter is set in the registry, the service should be re-started for the parameters
to take effect.
DEFAULT:
· This registry value is not created by default.
· The default value for this parameter is set in the service as:
o Wireless Interfaces: SupplicantMode = 3
o Wired Interfaces: SupplicantMode = 2
Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the
connection has already been authenticated with Machine credentials, the users
credentials are not used for authentication.
1: Machine authentication with re-authentication functionality. Whenever a user logs in,
802.1X authentication is performed using the users-credentials.
2: Machine authentication only Whenever a user logs in, it has no effect on the
connection. 802.1X authentication is performed using machine credentials only.
If these parameters are set in the registry, the service should be re-started for the
parameters to take effect.
DEFAULT:
· This registry value is not created by default.
· The default value for this parameter is set in the service as:
o AuthMode = 1
SUMMARY: If you need machine-auth + subsequent user-auth, go with AuthMode=1, and SupplicantMode=3.
06-21-2004 11:32 PM
So are both values required? I set the Authword = 1, but didn't think the supplicantMode needed to be set.
I'll try it out and see if it works.
BTW.. does this apply to both win2k and XP?
06-22-2004 01:20 PM
That worked!. Thanks.
07-27-2004 10:09 PM
Just wanted to let people know.
I tested this on win2k SP4 and winxp sp1 (both select media) using ACS 3.2.3 and cat 3750 EMI
Both keys are required for the user authentication (vlan by userid)to work.
07-30-2004 06:43 AM
now try getting it to work with roaming profiles, unfortunately, it logs off and changes vlan or blocks port before roaming profile is copied.
08-08-2004 06:30 AM
The limitation here is that Winlogin DOES NOT wait for authentication and VLAN assignment to complete before proceeding with the execution of any management objects.
Would it fit into your policy to place both the machine AND the user into said VLAN? Or use a third-party supplicant?
08-09-2004 10:41 AM
FYI:
The reason both are required is due to interop. Yes, AuthMode=1 does tell the machine to auth both the user and the machine. However, due to the default nature of SupplicantMode, it precludes AuthMode from having valid functionality w/o setting it as well. Again, the default for SupplicantMode=2, so it depends on EAPOL traffic to arrive at the supplicant to initiate an 802.1x conversation.
Example:
AuthMode=1, SupplicantMode=2 (default).
Machine auth's itself successfully. User logs in. However, based on SupplicantMode=2/AuthMode=1 this now doesn't help much since to auth the user, you need EAPOL traffic to arrive at the PC. But since the PC itself has already been auth'd via machine-auth, EAPOL is no longer sent on the wire, 802.1x is out of the way, and the port is already turned up.
This is why you also need to set SupplicantMode=3. To send an obligatory EAPOL-Start on behalf of the user.
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: