802.1x, PEAP, WinXP, and 3550 (Radius)

davhalcisco · ‎09-03-2004

I have everything configured according to Cisco documentation, but I am getting two different errors in ACS's log.

For a user it says: External DB account Restriction

For a machine it says: EAP-TLS or PEAP authentication failed during SSL handshake

Does anyone have any idea what those mean? I can provide the 3550 debug logs as well if that will help.

giuseppe.fiorentini · ‎09-03-2004

Hi,

About machine authentication you need to have a valide certificate on your Radius server. If you use PEAP this certificate will be downloaded the first time that the client goes up. You should accept the server certificate. This will create the SSL channel.

About user could be that you didn't enable the Dial-in permission for the user in AD.

Bye

Stefano

alian-sam · ‎09-07-2004

I went through the same problem , even i have a certificate installed on the ACS and the workstation.

I uninstalled the certificate on the ACS and issued a new certificate and installed on both sides and it did work.

But i am seeing a delay after the mchines come up and get authenticated to the domain , it take so long to activate the switch port(sometimes 2 min).

even i have the two options enabled on the winXP 802.1x client

(1. Authenticate as computer when computer information is available

2.automatically use my windows logon name and password(and domain if any))

is there a way to make the authentication faster ?

ratisiddu · ‎09-21-2004

I didn't understand your answer. I also face similar problem like you, do you have any info on this.

Thanks,

Siddu

When "Authentication using computer" ie. machine authentication is selected in

Windows XP (SP1 or SP2) client, authentication are

failing for EAP type - Protected EAP (PEAP).

The server log is showing " No password found in the

request,” indicating during challenge/response, XP

client is not sending password in its response.

Since authentication will be done during computer boot up, I am not getting how to store the machine

password, I assume machine will use admin password by

default.

I order to send admin password during machine

authentication, do I need to store admin credentials?

If that is the case where and how?

Other than this do I need to do any other setup at XP

client and AAA Server side?

Did any one face similar problem?

jafrazie · ‎09-22-2004

In order to run machine authentication, the machine just need be a member of the domain. When using PEAP, it uses the fully qualified machine name of the device as a username, and the local system account password (that it got when it was originally added to the domain).

Other than that, you don't need any additional config. Remember your dial-in properties for the machines themselves though if using IAS for RADIUS.

Hope this helps.

davhalcisco · ‎09-08-2004

I'm not too sure how to read some of these dot1x log entries, but does anything in here stand out? It seems like it does authenticate the user, but then just wont authorize them. I do have dialin permissions checked for the machine and user, and I also have tried using a domain admininstrator, with no luck. Any ideas? Im clueless now.

I have Windows XP setup with PEAP (usuing Smart card or other certificate will not create any log entries in ACS). If I tell XP to not validate the server certificate the machine's 'failed attempts' stop coming up. Switch is working with RADIUS for login/enable right now.

(Attatched is log entries).

aarons · ‎03-15-2005

Is it possible to be automatically authenticated in a 802.1x IAS situation where the authentication method in place is EAP and MD5? Or must PEAP be used? Must an account be created in active directory for the machine name for this to occur?

Any information would be useful thanks.

jafrazie · ‎03-16-2005

This may help:

<http://download.microsoft.com/download/b/0/e/b0e2a363-0044-4327-8f17-020818f57234/Wired_depl.doc>

It's rather tough to set with MD5.

If you're running machine-auth, your only choices are TLS and PEAP though.