Re: 802.1X, Windows supplicant and IAS

Hi,

I have seen issues with Windows XP SP2 clients trying to authenticate
via a Cisco 2950 switch and Cisco ACS server.

"Due to a defect in the Microsoft PEAP supplicant provided in Windows
XP Service Pack 2, the PEAP supplicant cannot reauthenticate
successfully with Cisco Secure ACS. Microsoft case SRX040922603052 has
been opened on this issue. Customers affected by this problem should
open a case with Microsoft and reference this case ID. Microsoft has
prepared hotfix KB885453, which resolves the issue. "

http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a008031479e.html#wp1080584

rgds


Guillaume Tamboise wrote:
> Hello,
>
> I am trying to set up 802.1X for wired access.
> I have two kinds of client computers, running Windows 2000 and Windows
> XP, but all the following tests are carried out on Windows XP SP2.
> IAS is running on a Windows 2000 server (SP4), that is also an AD domain
> controller.
> The router is a Cisco 2950 running 12.1(20)EA2.
>
> I am planning on
> - using PEAP,
> - set SupplicantMode at 3 (Transmit EAPOL-Start per 802.1x standard),
> - set AuthMode at 1 (computer authentication with re-authentication),
> - Interface: "Show icon in task bar when connected"
> - "Authenticate as computer when computer information is available",
> - "Validate server certificate" against my Microsoft CA certificate,
> - "Automatically use my Windows logon name and password (and domain if
> any)".
>
> During the boot-up process, I can see that the machine authenticates
> successfully. I enter my domain username and password, the login process
> starts, but when the user authentication is supposed to kick in,
> authentication fails twice and works only the third time.
> I do not see the failure in the IAS logs. I see it
> - on the client computer ("Windows could not log you on the network" or
> something similar in a bubble, in the bottom right corner of the screen)
> - in the eap exchange, as I am getting an EAP frame code 4 (failure) for
> each failure.
>
> Basically, here is the full boot-up process:
> - Client machine powers up
> - Windows supplicant says "EAPOL Start"
> - Switch requests identity
> - Windows supplicant provides "host/computer_name"
> - TLS session established, then 8 TLS frames are exchanged
> - Switch sends EAP code 3 (success)
> Then the user attempts to log in:
> - Windows supplicant says "EAPOL Start"
> - Switch requests identity
> - Windows supplicant provides "domain\account"
> - TLS session established, then 6 TLS frames are exchanged
> - 30 seconds later, switch gets tired and requests identity
> During those 30 seconds, Windows XP complains with a "clear here to
> process your logon information for the network". It then shows the icon
> with an unavailable network connection.
> - Windows supplicant provides "domain\account"
> - TLS session established, then 8 TLS frames are exchanged
> - Switch sends EAP code 3 (success).
>
>
> If at any time I unplug my computer and plug it to an 802.1X port, it
> manages to authenticate just fine.
> The only problem is really the boot-up process, with these two symptoms
> to get rid of:
> - Total of 141 seconds between the "user" EAPOL Start and the EAP
> Success. At least 30 seconds result from a timeout, either from the
> supplicant or from IAS (see values later).
> - Error messages coming from the supplicant that are going to confuse
> users regarding the state of their network logon.
>
>
> The router has a pretty standard configuration:
>
> interface FastEthernet0/1
> description whatever
> switchport access vlan 123
> switchport mode access
> speed 100
> duplex full
> dot1x port-control auto
> dot1x timeout reauth-period 7200
> dot1x reauthentication
> spanning-tree portfast
> end
>
> with a
>
> $ show dot1x interface fastEthernet 0/1
> Supplicant MAC 0000.1234.1234
> AuthSM State = AUTHENTICATED
> BendSM State = IDLE
> PortStatus = AUTHORIZED
> MaxReq = 2
> HostMode = Single
> Port Control = Auto
> QuietPeriod = 60 Seconds
> Re-authentication = Enabled
> ReAuthPeriod = 7200 Seconds
> ServerTimeout = 30 Seconds
> SuppTimeout = 30 Seconds
> TxPeriod = 30 Seconds
> Guest-Vlan = 0
>
>
> Anyone having already faced this issue?
>
> Thanks
>
>
> Guillaume Tamboise

.

Relevant Pages

  • Re: 802.1x Authentication
    ... I have a switch Catalyst ... Log in IAS indicate "signature attribute is not ... Because the documentation of Cisco say this switch use EAPOL ... MVP - Windows Networking ...
    (microsoft.public.windowsxp.network_web)
  • Re: RADIUS
    ... I need all of my users to authenticate. ... I do not think this is a Cisco question at all. ... Authentication" tab and select "Windows NT Authentication" as my current ... > configure the Microsoft Windows 2003 server with IAS. ...
    (microsoft.public.windows.server.migration)
  • Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
    ... almost all Windows users demand backward compatibility. ... > security upgrades available on MS's site. ... > and authenticate all mail transfer. ...
    (Full-Disclosure)
  • Re: Switch from mixed to native mode : risks ?
    ... Before making the switch have backups of all DCs ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... I want to switch my domain to native mode. ... I want to know if there is any risk for: ...
    (microsoft.public.windows.server.migration)
  • Re: Switch from mixed to native mode : risks ?
    ... Before making the switch have backups of all DCs ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... I want to switch my domain to native mode. ... I want to know if there is any risk for: ...
    (microsoft.public.windows.server.migration)