- Cisco Community
- Technology and Support
- Security
- Network Access Control
- Re: Windows XP SP3 can't authenticate in 802.1x
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Windows XP SP3 can't authenticate in 802.1x
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2011 08:21 AM - edited 03-10-2019 05:48 PM
Hi all,
I'm trying to get working a fresh install with 802.1x in it. I have a serious issue with Windows XP SP3 not authenticating at all... I can see (with a Wireshark) EAPoL Start messages going out from the host, but nothing happens after. The switch is pretending that it has a timeout on dot1x exchanges. We don't have any issue with Windows 7 at all !!!!
I'm giving you details about the setup :
- Switches : Cisco switching architecture (IOS IP Services K9 12.2(55)SE)
- Authentication Server : Cisco Secure ACS 4.2
- Directories : Microsoft Active Directory and OpenLDAP for the directories
- PKI : External (opensource)
- Clients : Windows XP SP3 and a very few Windows 7
- EAP Method for the moment : PEAP MSCHAPv2
Concerning switches, typical config is the following (only necessary things appear) :
swi-test-802.1x#sh run
Building configuration...
Current configuration : 6481 bytes
!
aaa new-model
!
!
aaa group server radius ACS
server X.X.X.X auth-port 1645 acct-port 1646
deadtime 60
!
aaa authentication login ACS_RADIUS group ACS local
aaa authentication dot1x default group ACS local
aaa authorization exec ACS_RADIUS group ACS local
aaa authorization network default group ACS
aaa accounting dot1x default start-stop group ACS
aaa accounting exec ACS_RADIUS start-stop group ACS
aaa accounting network ACS_RADIUS start-stop group ACS
!
aaa session-id common
!
ip device tracking
!
dot1x system-auth-control
!
!
!
interface FastEthernet0/X
description Typical FlexAuth port 802.1x
switchport mode access
switchport voice vlan 160
ip access-group Acl_Default_Acl in
authentication event fail action next-method
authentication event server dead action authorize vlan 99
authentication event no-response action authorize vlan 99
authentication host-mode multi-domain
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
!
!
!
ip access-list extended Acl_Default_Acl
permit ip any any
!
radius-server host X.X.X.X auth-port 1645 acct-port 1646 key XXX
radius-server vsa send accounting
radius-server vsa send authentication
!
end
If I'm using Windows 7, no problem...
I've tried to modify different registry keys concerning authMode, SupplicantMode (twice applicable but only right until XP SP2), BlockTime for reauth, following everytime Microsoft recommandations and the different published kb...
I've tried with GPO for a global change or modifying XML template of the interface, but nothing changes...
I'm giving you the debugs (radius authentication and dot1x events) :
swi-test-802.1x#
swi-test-802.1x#
*Mar 1 01:19:25.727: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 1 01:19:25.735: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 1 01:19:26.230: dot1x-ev(Fa0/1): Interface state changed to DOWN
*Mar 1 01:19:26.230: dot1x-ev:dot1x_supp_port_down: No DOT1X subblock found on FastEthernet0/1
*Mar 1 01:19:28.327: dot1x-ev(Fa0/1): Interface state changed to UP
*Mar 1 01:19:28.336: dot1x-ev:DOT1X Supplicant not enabled on FastEthernet0/1
*Mar 1 01:19:28.697: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Mar 1 01:19:29.510: %AUTHMGR-5-START: Starting 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.510: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
*Mar 1 01:19:29.510: RADIUS(0000000B): Config NAS IP: 0.0.0.0
*Mar 1 01:19:29.510: RADIUS/ENCODE(0000000B): acct_session_id: 11
*Mar 1 01:19:29.510: RADIUS(0000000B): sending
*Mar 1 01:19:29.510: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
*Mar 1 01:19:29.510: RADIUS(0000000B): Send Access-Request to 10.248.64.20:1645 id 1645/19, len 206
*Mar 1 01:19:29.510: RADIUS: authenticator 3C AE B6 01 13 26 4E 77 - 94 33 B1 40 B7 A6 06 F8
*Mar 1 01:19:29.510: RADIUS: User-Name [1] 14 "60eb699a0e0f"
*Mar 1 01:19:29.510: RADIUS: User-Password [2] 18 *
*Mar 1 01:19:29.510: RADIUS: Service-Type [6] 6 Call Check [10]
*Mar 1 01:19:29.510: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 01:19:29.510: RADIUS: Called-Station-Id [30] 19 "00-1A-6D-FE-AA-83"
*Mar 1 01:19:29.510: RADIUS: Calling-Station-Id [31] 19 "60-EB-69-9A-0E-0F"
*Mar 1 01:19:29.510: RADIUS: Message-Authenticato[80] 18
*Mar 1 01:19:29.510: RADIUS: 2F C3 4E 65 14 AF D3 8E B9 E5 29 C3 28 13 C6 B8 [ /Ne)(]
*Mar 1 01:19:29.510: RADIUS: EAP-Key-Name [102] 2 *
*Mar 1 01:19:29.510: RADIUS: Vendor, Cisco [26] 49
*Mar 1 01:19:29.510: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AF80215000000030048C250"
*Mar 1 01:19:29.510: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
*Mar 1 01:19:29.510: RADIUS: NAS-Port [5] 6 50001
*Mar 1 01:19:29.510: RADIUS: NAS-Port-Id [87] 17 "FastEthernet0/1"
*Mar 1 01:19:29.510: RADIUS: NAS-IP-Address [4] 6 10.248.2.21
*Mar 1 01:19:29.519: RADIUS(0000000B): Started 5 sec timeout
*Mar 1 01:19:29.527: RADIUS: Received from id 1645/19 10.248.64.20:1645, Access-Reject, len 50
*Mar 1 01:19:29.527: RADIUS: authenticator B0 3B E5 8F 22 D1 C1 66 - F6 8F 1A 7E 88 49 AA BB
*Mar 1 01:19:29.527: RADIUS: Reply-Message [18] 12
*Mar 1 01:19:29.527: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [ Rejected]
*Mar 1 01:19:29.527: RADIUS: Message-Authenticato[80] 18
*Mar 1 01:19:29.527: RADIUS: 91 5F 64 12 73 8E 76 0C 31 DD 2B B7 2E EC 6E BA [ _dsv1+.n]
*Mar 1 01:19:29.527: RADIUS(0000000B): Received from id 1645/19
*Mar 1 01:19:29.527: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
*Mar 1 01:19:29.527: %MAB-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.527: dot1x-ev(Fa0/1): Couldn't find the supplicant in the list
*Mar 1 01:19:29.527: dot1x-ev(Fa0/1): Sending create new context event to EAP for 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Created a client entry (0x9E000002)
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Dot1x authentication started for 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:19:29.535: %AUTHMGR-5-START: Starting 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:29.535: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:19:30.290: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:39.828: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Sending EAPOL packet to 60eb.699a.0e0f
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Role determination not required
*Mar 1 01:19:50.113: dot1x-ev(Fa0/1): Sending out EAPOL packet
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Received an EAP Timeout
*Mar 1 01:20:00.414: %DOT1X-5-FAIL: Authentication failed for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Sending event (2) to Auth Mgr for 60eb.699a.0e0f
*Mar 1 01:20:00.414: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Received Authz fail for the client 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:20:00.414: dot1x-ev(Fa0/1): Deleting client 0x9E000002 (60eb.699a.0e0f)
*Mar 1 01:20:00.414: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (60eb.699a.0e0f) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.414: %AUTHMGR-5-VLANASSIGN: VLAN 99 assigned to Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.422: dot1x-ev:Delete auth client (0x9E000002) message
*Mar 1 01:20:00.422: dot1x-ev:Auth client ctx destroyed
*Mar 1 01:20:00.422: dot1x-ev:Aborted posting message to authenticator state machine: Invalid client
*Mar 1 01:20:00.733: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0AF80215000000030048C250
*Mar 1 01:20:00.733: RADIUS/ENCODE(0000000B):Orig. component type = DOT1X
*Mar 1 01:20:00.733: RADIUS(0000000B): Config NAS IP: 0.0.0.0
*Mar 1 01:20:00.733: RADIUS/ENCODE: Best Local IP-Address 10.248.2.21 for Radius-Server 10.248.64.20
*Mar 1 01:20:00.733: RADIUS(0000000B): Started 5 sec timeout
*Mar 1 01:20:00.741: RADIUS: Received from id 1646/9 10.248.64.20:1646, Accounting-response, len 20
swi-test-802.1x#
swi-test-802.1x#
If anyone has an idea. Another thiong to mention, hosts have a Trend OfficeScan solution for Host protection, but the same on Windows 7 and everything is OK.
Thanks for your precious help.
Pierre-Louis
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2011 04:17 AM
Hi Pierre-Louis,
A couple of questions here:
-We have a voice vlan defined for the port and multi-domain config.During your tests, do you have the PC connected behind an IP Phone?
-Which authentication method do you want to go for PC/IP phone?
-Whats the IP Phone model/vendor ?
In the logs , we have an Access-Reject for the client MAB auth attempt and then failover to dot1x auth.However, I dont see a Phone MAC in the logs.
On the switch debug, we see several EAPOL packets to client 60eb.699a.0e0f, which seems a Quanta computer based on the MAC vendor.
However no EAPOL packets seen from client side.You did indicate seeing an EAPOL Start from the host PC on a sniffer trace.
-Are you sniffing on the client adapter itself or the switchport to which client is connected?
-If we have an IP phone inbetween, do you also see the EAPOL start packet from the client when sniffing on the switchport ?
Windows XP ,SP3 has some changes as compared to earlier SP versions:
http://support.microsoft.com/kb/949984
The following output would help to further isolate on problem.You will need to ensure that we have timesync between sniffer traces and debug logs for correlation.
On switch, save logging output of:
debug radius
debug dot1x all
debug authentication all
debug authentication feature mab_pm all
debug authentication feature mda all
debug authentication feature voice all
Simultaneously you can capture sniffer trace by spanning switch port interface to which Phone/PC is connected.Please don't use any filters during the sniffer capture.
After above steps please do a shut/no shut for tested port interface and replicate the problem with Win XP SP3.
Following the test, you can also obtain the output of "show auth sessions int
HTH,
Alex
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-08-2011 07:33 AM
Hi Alex,
A few answer to give you my setup and after the reason why the 802.1x negociation stood down...
-We have a voice vlan defined for the port and multi-domain config.During your tests, do you have the PC connected behind an IP Phone?
[Ans] Yes, concerning the logs, only one PC was connected, no IP Phone.
-Which authentication method do you want to go for PC/IP phone?
[Ans] For the moment, MAB for IP Phone, 802.1x for PC with PEAP (EAP-TLS)
-Whats the IP Phone model/vendor ?
[Ans] Cisco of course... Did you have a doubt about it ?
On the switch debug, we see several EAPOL packets to client 60eb.699a.0e0f, which seems a Quanta computer based on the MAC vendor.
However no EAPOL packets seen from client side.You did indicate seeing an EAPOL Start from the host PC on a sniffer trace.
-Are you sniffing on the client adapter itself or the switchport to which client is connected?
[Ans] On the client adapter.
-If we have an IP phone inbetween, do you also see the EAPOL start packet from the client when sniffing on the switchport ?
[Ans] Not tried.
For the solution, it seems that I forgot to mention a point yesterday, the presence of a NetScreen Remote client on two PCs. And, as you can imagine, those only two PCs had the same issue. I have deactivated the Juniper Client and the authentication has started... I'm not sure about the terms of the policy applied in this client, I will give further information as soon as I can.
Thanks Alex for you reply and your time.
Pierre-Louis
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: