Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3160
Views
0
Helpful
5
Replies

EAP-TLS Don't Works with machine Authentication with WinXP SP3

Nelsonmejia09
Level 1
Level 1

‎08-11-2010 08:58 PM - edited ‎03-10-2019 05:19 PM

I have cinfugured 802.1X with the following componentes

- Windows Server 2003 AD with enterprise CA

- Cisco Secure ACS 4.2 like Server AAA, Setup to use EAP-TLS authentication with Machine Authentication.

- Win XP SP3

I tried to authenticate the machine with Win XP SP3 using EAP-TLS but  sometimes the ACS Server doesn't receive the request and other times the authentication fail.

I need implement EAP-TLS to force to use it certificates but the client uses only Windows XP SP3.

What is the problem to use EAP-TLS with Win XP SP3?. I used Windows and it works almost fine but there is one problem: the user is asigned to the default group and not to the group mapped..

Labels:
0 Helpful
5 Replies 5

Christopher Bell
Level 4
Level 4

‎08-17-2010 05:29 AM

Did you verify the machines are getting the certificate in the MMC snap in?  If so, I know there was a registry edit we had to do for machine based authentication using certificates.  It was a pain on XP boxes until we figured it out, but works out of the box on Windows 7 boxes.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.
0 Helpful

mi204978
Level 1
Level 1
In response to Christopher Bell

‎08-17-2010 05:48 AM

You have to modify your LAN-Profile to do a computer-only authentication:

http://support.microsoft.com/kb/929847

0 Helpful

Nelsonmejia09
Level 1
Level 1
In response to mi204978

‎08-17-2010 07:30 AM

Hi michaelillgen, I have do the changes to force to  only machine authentication like microsoft support http://support.microsoft.com/kb/929847 before open this discussion but the issue is the same. I did that to wired nad wireless profile but it does not work.

0 Helpful

iilyinas
Level 3
Level 3

‎10-27-2010 03:06 AM

Hi!

Check that you have "dot1x pae authenticator" command configured on switch port.

Details on the command is here: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_d2.html#wp1034077

Cheers, Iron

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Bastien Migette
Cisco Employee
Cisco Employee

‎10-27-2010 06:44 AM

Are you trying to authenticate machine on boot, or when user is logging ? Sometimes the XP box is booting, but the time the user logs in, the auth timer has expired and the link is unauthorized, and windows XP isn't sending EAPoL so there's no authentication and the link stays down.

Try to debug dot1x on your switch/controller to see what's happening, and try to set supplicantMode to 3 in registry as described here:

http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents