Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
631
Views
0
Helpful
4
Replies

802.1x and host accounts.

Darthkim_2
Level 1
Level 1

‎08-22-2005 01:59 PM - edited ‎03-10-2019 02:16 PM

Wanted some feedback on what people do with 802.1x and host accounts. I am testing PEAP with our setup and i need to put the machine accounts in a separate group (to allow new logons and for pushing/pulling application and such).

I've noticed that new users are not able to logon to a pc with dot1x authentication because a)machine authentication happens 1st, b) when user enters new userid, it can't be validated if the machine is not on any subnet.

Any thoughts on this?

Labels:
0 Helpful
4 Replies 4

Not applicable

‎08-25-2005 11:33 AM

Cisco Secure ACS supports the authentication of computers running Microsoft Windows operating systems that support EAP computer authentication, such as Windows XP with Service Pack 1. Machine authentication, also called computer authentication, allows networks services only for computers known to Active Directory. This is especially useful for wireless networks, where unauthorized users outside the physical premises of your workplace can access your wireless access points.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/d.htm#wp354066

0 Helpful

jwmiller
Level 1
Level 1

‎09-01-2005 02:50 PM

Are you sure the user login isn't timing out? I saw something similar (user couldn't login), but it was because Windows drops any EAP starts from the switch for 30 seconds. To get around, I had to add a registry entry Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode and set it to 3. This caused Windows to start the EAP sequence rather than the switch. It eliminated the 30 second delay and apparent login faliures I was seeing.

0 Helpful

jafrazie
Cisco Employee
Cisco Employee
In response to jwmiller

‎09-01-2005 07:41 PM

Technically, the problem as described shouldn't have much to do with this. Although you raise a good point. It's gnerally a good idea to make the Supplicants send EAPOL-Starts (which by default for wired interfaces with MSFT supplicant they do not). Any switch port enabled for 802.1x will transmit EAPOL-Identity-Request frames on the wire as soon as link comes up in an immediate attempt to look for a supplicant. However, "link up" definitely doesn't mean the Windows OS has booted enough to be able to process this frame and reply to it. If the switch gets no response to this frame, it will re-transmit it 30-sec later, inducing the percieved delay. Configuring the supplicant to send an EAPOL-Start when it's ready to authenticate removes the problem.

As for the issue of new users not being able to login, this is expected as well. Reason being, when a MSFT machine IS attached to a domain, it does Kerberos before it does 802.1x .. so it could verify a new user. W/o machine auth, it can't verify the user account, and will probably try to login with cached credentials (if it's a user that has logged in before).

Hope this helps,

0 Helpful

Darthkim_2
Level 1
Level 1
In response to jafrazie

‎09-15-2005 03:11 PM

Thanks for your response.

So i am curious, what is considered best practices? (or is dot1x to bleeding edge to even have best practices?)

0 Helpful
Customers Also Viewed These Support Documents