This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have cinfugured 802.1X with the following componentes
- Windows Server 2003 AD with enterprise CA
- Cisco Secure ACS 4.2 like Server AAA, Setup to use EAP-TLS authentication with Machine Authentication.
- Win XP SP3
I tried to authenticate the machine with Win XP SP3 using EAP-TLS but sometimes the ACS Server doesn't receive the request and other times the authentication fail.
I need implement EAP-TLS to force to use it certificates but the client uses only Windows XP SP3.
What is the problem to use EAP-TLS with Win XP SP3?. I used Windows and it works almost fine but there is one problem: the user is asigned to the default group and not to the group mapped..
Did you verify the machines are getting the certificate in the MMC snap in? If so, I know there was a registry edit we had to do for machine based authentication using certificates. It was a pain on XP boxes until we figured it out, but works out of the box on Windows 7 boxes.
Check that you have "dot1x pae authenticator" command configured on switch port.
Details on the command is here: http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_d2.html#wp1034077
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Are you trying to authenticate machine on boot, or when user is logging ? Sometimes the XP box is booting, but the time the user logs in, the auth timer has expired and the link is unauthorized, and windows XP isn't sending EAPoL so there's no authentication and the link stays down.
Try to debug dot1x on your switch/controller to see what's happening, and try to set supplicantMode to 3 in registry as described here: