09-18-2012 02:29 PM - edited 03-10-2019 07:33 PM
Hello,
I have problem with 802.1x authentication on switch ports which are configured in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.
The problem is following, when PC is first connected on switch port it authenticates successfully. After about 1-2 minutes windows 7 NIC notifies that its going to authenticate again, and after couple of minutes NIC status is changed to “Authentication Failed”. On ACS I only see first authentication request which is successful. If I unplug PC from port and plug it again. It authenticates successfully and then starts again with same problems.
I was doing packet sniffing on PC, and it seems that after pc first authentication completes successful, switch starting to sent EAP Identity/Request packets to host, for that host is sending EAP Identity/Response to switch, but switch don’t continues authentication process and starts again with new EAP Identity/Request packets.
On Windows 7 host Event viewer I see following log messages:
Reason: 0x70004
Reason Text: The network stopped answering authentication requests
Error Code: 0x0
The ACS version is 5.3. Authentication method is PEAP. Supplicant OS is Windows 7 I also trued with Windows XP, with same result. The Authentication switch is ESW 520 with latest firmware. I also trued with 2960/3560 switches and it works perfectly. On ESW 520 switch if port mode is other than “Multi Session" if works without any issue.
Do you have any Idea how can i fix this ?
09-18-2012 06:06 PM
If config is the same as 2960 it sounds more like a bug...
you may need to reach TAC for the same..
09-18-2012 07:43 PM
Hi ngtransge,
Have you tried patch the hotfix below for these problematic Windows 7 clients ? Kindly have a look at the below mentioned link that might give you more insight about the same.
http://support.microsoft.com/kb/980295/en-us
Regards
Anim Saxena
*Rate helpful posts*
09-19-2012 04:02 AM
09-19-2012 04:35 AM
Hi ngtransge,
if you use " user or computer" as the authentication mode, the user wont be authenticated when he logs on as the machine has been authenticated.To meet our business requirements,You may need to reauthenticate each user when they log in the machine ( use "user authentication") ,however you cant make this happen on our windows 7 clients at the moment. It can only authenticates once unless i manually disconnect the network and reconnect it, otherwise the switch times out the dot1x due to no responses from the PC.
You would first like to clarify the authentication mode part, so if we want to make users to re authenticate by using the credentials of current logged user, we’d need to set to use “User re-authentication” . This compact has been explained in the session “Wired authentication modes” in the link below:
Planning for Recommended Wired Security Configurations
http://technet.microsoft.com/en-us/library/dd378927(WS.10).aspx
And could you describe the entries you set in wired network policy ? what is the number you set for “Max Authentication failures” ? and which authentication protocol are using now?
Maybe we should recheck the current settings with following our sample guide below and see if any improvement:
Configure Wired Computers Running Windows Vista for 802.1X Authenticated Access
http://technet.microsoft.com/en-us/library/dd348442(WS.10).aspx
For more information please refer to the link below:
802.1X Authenticated Wired Access
http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx
Thanks and regards,
Anim Saxena
*Rate helpful post*
09-19-2012 06:53 AM
Hi Anim,
I am using very default "wired network policy". Authentication method is PEAP, and authentication mode is "User or computer authentication".\
Where can I seen "Max Authentication failures" ?
09-19-2012 09:58 AM
Hi ngtransge,
Thanks for rating the replies. You need to select "User Authentication". I am pasting some screenshots which might help you out.
STEP 2:
STEP 3
STEP 4
Select User Authentication in the Scenario might help out.
Thanks and Regards
Anim Saxena
*Rate helpful posts*
09-19-2012 11:05 PM
Hello Anim,
As I know only user authentication has problem with Group Updates, because it doesn't authenticate PC when user is not logged in. Also I have tried and it does not helped.
09-20-2012 03:02 AM
Hi Ngtransge,
i am posting a link which might be helpful to you in solving your problem.
https://supportforums.cisco.com/docs/DOC-23117
Thanks and regards
Anim Saxena
*Rate Helpful Posts*
09-23-2012 02:08 AM
Hello Anim,
Same problem with NAM.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide