cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
944
Views
0
Helpful
1
Replies

Issues with Window7 and dot1x authentication

billy_vaughn
Level 1
Level 1

I am having an issue with authenticating Windows7 PC's with ACS 5.2. I am running ACS version 5.2.026 and using active directory to authenticate against. The problem I am having is that when I see the ACS failure the username coming in from the Window7 dot1x client is the MAC address and not the machine name. I've configured the dot1x client in WIndows7 to use computer authentication.but for some reason it's not working. I have XP clients using the Cisco Secured Services Client and they work fine. The request come in just fine with the machine name. I'll put examples below from the ACS log. The odd thing is about two months ago I tested this same setup with Windows7 and it worked so I'm not sure if it could be a group policy setting causing this issue. We are authenticating Cisco IP phones (7940 and 7960) using mac address bypass so on the ports I've set the authentiaction order to mab dot1x webauth. Changing this setting does not seem to matter. Thanks in advance for any help.

XP Client with CSSC dot1x client

Logged At:
February 16,2011 9:08:22.626 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
host/mxm71001fk
MAC/IP Address:
00-19-BB-E0-8F-B0
Network Device:
ACS_Test_Switch : 10.1.254.53 : FastEthernet1/0/13
Access Service:
Default Network Access
Identity Store:
AD1
Authorization Profiles:
2nd_Floor_Profile
CTS Security Group:
Authentication Method:
EAP-FAST


Windows7 Client with built in dot1x client

Logged At:
February 16,2011 9:10:17.630 AM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s).
NAS Failure:
Username:
D4-85-64-A4-08-EE
MAC/IP Address:
D4-85-64-A4-08-EE
Network Device:
2B_Stack : 10.1.254.10 : FastEthernet2/0/21
Access Service:
Default Network Access
Identity Store:
Authorization Profiles:
CTS Security Group:
Authentication Method:
Lookup

1 Reply 1

Nicolas Darchis
Cisco Employee
Cisco Employee

If that's how your win7 is sending the username then the problem is on the client PC, not ACS.

Can you post pictures of how you configured machine authentication on win7 ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: