cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2847
Views
0
Helpful
5
Replies
Nelsonmejia09
Beginner

EAP-TLS Don't Works with machine Authentication with WinXP SP3

I have cinfugured 802.1X with the following componentes

- Windows Server 2003 AD with enterprise CA

- Cisco Secure ACS 4.2 like Server AAA, Setup to use EAP-TLS authentication with Machine Authentication.

- Win XP SP3

I tried to authenticate the machine with Win XP SP3 using EAP-TLS but  sometimes the ACS Server doesn't receive the request and other times the authentication fail.

I need implement EAP-TLS to force to use it certificates but the client uses only Windows XP SP3.

What is the problem to use EAP-TLS with Win XP SP3?. I used Windows and it works almost fine but there is one problem: the user is asigned to the default group and not to the group mapped..

5 REPLIES 5
Christopher Bell
Enthusiast

Did you verify the machines are getting the certificate in the MMC snap in?  If so, I know there was a registry edit we had to do for machine based authentication using certificates.  It was a pain on XP boxes until we figured it out, but works out of the box on Windows 7 boxes.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

You have to modify your LAN-Profile to do a computer-only authentication:

http://support.microsoft.com/kb/929847

Hi michaelillgen, I have do the changes to force to  only machine authentication like microsoft support http://support.microsoft.com/kb/929847 before open this discussion but the issue is the same. I did that to wired nad wireless profile but it does not work.

iilyinas
Participant

Hi!

Check that you have "dot1x pae authenticator" command configured on switch port.

Details on the command is here: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_d2.html#wp1034077

Cheers, Iron

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Bastien Migette
Cisco Employee

Are you trying to authenticate machine on boot, or when user is logging ? Sometimes the XP box is booting, but the time the user logs in, the auth timer has expired and the link is unauthorized, and windows XP isn't sending EAPoL so there's no authentication and the link stays down.

Try to debug dot1x on your switch/controller to see what's happening, and try to set supplicantMode to 3 in registry as described here:

http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx

Content for Community-Ad