07-04-2005 02:42 AM - edited 03-10-2019 02:12 PM
Below are the devices I used in my network.
ACS Server:ver 3.3
Active Directory: Win2000 Server SP4 installed with cisco remote agent.
Switch:Cat2950 12.1(EA)1a
Client Workstation: WinXP Pro SP2
I've enable dot1x on the switch and everythings works fine for client until I get msg "The system cannot log you on because domain <domain> is not available". This prob only occured when:-
1)New user is added in AD and that user is trying to login to network through enabled dot1x port from any workstation within the domain.
2)Authenticated user logoff from one workstation and try to login using another workstation which he/she has never been logged into.
Is it got anything to do with microsoft caching? FYI,I using PEAP (MS-CHAPv2)config on both ACS Server and client workstation.
Anyone knows what is the problem?
07-07-2005 06:48 PM
I have tested and performed some testing and it seems like the built-in XP authentication program does not working as what it suppose to. Instead,I've used the AEGIS client authentication program which works fine. Thanks to Will Shaw for his ideas and to some forum that I've came across to.
08-11-2005 12:21 AM
Hi,
I have the exact same problem and can't seem to find a way with the native Win XP SP2 client (even with the latest hotfixes installed).
Have you had any success, feedback or come across any other forums to assist?
My feeling is that the XP workstation tries to log in using the local cached credentials and only fires up the 802.1x authentication after a successful local logon. Because a new user doesn't have a local profile created (and the port is in an up/down status) it reports "domain not availalbe".
Please let me know soonest.
PS: the AEGIS client and machine authentication is not an option in our environment as it will defeat the purpose of our excersise.
Thanks,
Enrico Vermaak
08-24-2006 08:21 AM
Search for Microsoft hotfix KB885453. Windows machine authentication is required so that the WLAN connection is active prior to user login. We're using WPA2 with PEAP and the hotfix took care of it for us. Cisco has a few docs on machine authentication as well.
11-27-2006 06:16 AM
You can get a copy of the fix at http://www.etsu.edu/oit/802.1x/index.asp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide