802.1X, Windows supplicant and IAS

From: Guillaume Tamboise (gtamboise_at_gmail.com)
Date: 11/14/05

  • Next message: Malke: "Re: Unknown pop-up on taskbar."
    Date: Mon, 14 Nov 2005 14:30:53 -0600
    
    

    Hello,

    I am trying to set up 802.1X for wired access.
    I have two kinds of client computers, running Windows 2000 and Windows
    XP, but all the following tests are carried out on Windows XP SP2.
    IAS is running on a Windows 2000 server (SP4), that is also an AD domain
    controller.
    The router is a Cisco 2950 running 12.1(20)EA2.

    I am planning on
    - using PEAP,
    - set SupplicantMode at 3 (Transmit EAPOL-Start per 802.1x standard),
    - set AuthMode at 1 (computer authentication with re-authentication),
    - Interface: "Show icon in task bar when connected"
    - "Authenticate as computer when computer information is available",
    - "Validate server certificate" against my Microsoft CA certificate,
    - "Automatically use my Windows logon name and password (and domain if
    any)".

    During the boot-up process, I can see that the machine authenticates
    successfully. I enter my domain username and password, the login process
    starts, but when the user authentication is supposed to kick in,
    authentication fails twice and works only the third time.
    I do not see the failure in the IAS logs. I see it
    - on the client computer ("Windows could not log you on the network" or
    something similar in a bubble, in the bottom right corner of the screen)
    - in the eap exchange, as I am getting an EAP frame code 4 (failure) for
    each failure.

    Basically, here is the full boot-up process:
    - Client machine powers up
    - Windows supplicant says "EAPOL Start"
    - Switch requests identity
    - Windows supplicant provides "host/computer_name"
    - TLS session established, then 8 TLS frames are exchanged
    - Switch sends EAP code 3 (success)
    Then the user attempts to log in:
    - Windows supplicant says "EAPOL Start"
    - Switch requests identity
    - Windows supplicant provides "domain\account"
    - TLS session established, then 6 TLS frames are exchanged
    - 30 seconds later, switch gets tired and requests identity
    During those 30 seconds, Windows XP complains with a "clear here to
    process your logon information for the network". It then shows the icon
    with an unavailable network connection.
    - Windows supplicant provides "domain\account"
    - TLS session established, then 8 TLS frames are exchanged
    - Switch sends EAP code 3 (success).

    If at any time I unplug my computer and plug it to an 802.1X port, it
    manages to authenticate just fine.
    The only problem is really the boot-up process, with these two symptoms
    to get rid of:
    - Total of 141 seconds between the "user" EAPOL Start and the EAP
    Success. At least 30 seconds result from a timeout, either from the
    supplicant or from IAS (see values later).
    - Error messages coming from the supplicant that are going to confuse
    users regarding the state of their network logon.

    The router has a pretty standard configuration:

    interface FastEthernet0/1
     description whatever
     switchport access vlan 123
     switchport mode access
     speed 100
     duplex full
     dot1x port-control auto
     dot1x timeout reauth-period 7200
     dot1x reauthentication
     spanning-tree portfast
    end

    with a

    $ show dot1x interface fastEthernet 0/1
    Supplicant MAC 0000.1234.1234
       AuthSM State = AUTHENTICATED
       BendSM State = IDLE
    PortStatus = AUTHORIZED
    MaxReq = 2
    HostMode = Single
    Port Control = Auto
    QuietPeriod = 60 Seconds
    Re-authentication = Enabled
    ReAuthPeriod = 7200 Seconds
    ServerTimeout = 30 Seconds
    SuppTimeout = 30 Seconds
    TxPeriod = 30 Seconds
    Guest-Vlan = 0

    Anyone having already faced this issue?

    Thanks

    Guillaume Tamboise


  • Next message: Malke: "Re: Unknown pop-up on taskbar."

    Relevant Pages

    • RE: IEEE 802.1x & dynamic vlan assignment
      ... As when the workstation send the EAPOL logoff message the switch puts the ... user authentication behavior of Windows XP and Windows Server 2003. ... - Computer authentication mode. ...
      (Focus-Microsoft)
    • 802.1X, Windows supplicant & Microsoft IAS
      ... I have two kinds of clients, running Windows 2000 and Windows XP, but ... - set AuthMode at 1 (computer authentication with re-authentication), ... - Windows supplicant says "EAPOL Start" ... - Switch sends EAP code 3 ...
      (microsoft.public.access.security)
    • BCP using Win Authentication
      ... I would like to do a BCP out command in an automated job using WIndows ... Authentication and would like to provide the id similar to providing a SQL ... I know there is a -T switch but that works in interactive mode and i want ...
      (microsoft.public.sqlserver.server)
    • start supplicant at startup
      ... I need any 802.1x supplicant for windows to start right before windows ... starts up and initialized DHCP requests. ... I've tried the Windows supplicant ... service or at least at boot. ...
      (microsoft.public.windowsxp.general)
    • wpa supplicant start at boot
      ... I need any 802.1x supplicant for windows to start right before windows ... starts up and initialized DHCP requests. ... I've tried the Windows supplicant ... service or at least at boot. ...
      (microsoft.public.win2000.networking)