Wired 802.1x with PEAP

ongeti · ‎12-16-2004

I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.

Setup:

C3750 switch - Cisco ACS 3.2 - Windows AD

Sequence of events:

1. 802.1x machine authentication

2. User logs in to domain

3. 802.1x with user credentials

But, I have the following issues:

i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?

ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').

Any solution for this?

Tks

jafrazie · ‎12-17-2004

Failing authentication, and timing out on authentication are 2 different things. Verify on the backend (ACS<-->AD) that the authentication attempt is actually failing. If it is, the a RADIUS-Reject should be sent, along with an obligatory EAPOL-Failure from the authenticator (switch) to the supplicant (PC). In this scenario, the switch can only do what ACS/AD are telling it to do.

As for VLAN Assignment, the only fix is to use a third-party supplicant. This configuration is not supported with a MSFT supplicant (by MSFT).

The actual problem here is that 802.1x traffic is not serialized with all other Windows traffic, so VLAN Assignment and IP re-assignment are not the cause .. but are what make this issue stick out like a sore thumb.

Hope this helps.

paul.mercier · ‎12-22-2004

Jason,

Is there a good howto or tutorial that I can get the shows what settings are required to have dynamic vlan functionality. I can get a domain user authenticated but I don't follow how the vlan setup / switching should be done. I want all users in vlan xxx if they fail to login to our domain and put them in vlan yyy if they can authenticate (I am using 802.1x PEAP and server side cert only). I am using ACS v3.3, W2k-AD, winXP supplicant , cat5000. Thx in adv.

tracey.marshall · ‎01-10-2005

I have a configuration very similar to yours:

C2950 (IOS 12.1(22)EA2) - ACS 3.2 - Windows AD

The clients are running XP with PEAP (EAP-MSCHAPv2 authentication). In the EAP-MSCHAPv2 configuration window, I have deselected the option "automatically use my windows logon name and password". However, I only get prompted to login first time. It then appears that the username/password is cached and being sent automatically. I can delete a registry entry and then be prompted again for the password. I need the users to be prompted every time.

Please can you tell me if you have come across this problem and, if so, how you got round it.

Many thanks in advance,

Tracey

jafrazie · ‎01-10-2005

2 issues here:

*Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.

* Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

tracey.marshall · ‎01-11-2005

Thanks for your reply.

It sounds like it is not possible for me to turn off cached credentials on the current XP client configuration. You suggest using a supplicant other than Microsoft. Please can you let me know what may be an alternative?

Many thanks for your help.

Tracey

jafrazie · ‎01-11-2005

Any third party supplicant should allow you flexibility on how you'd like to enter credentials. Supplicants are avail from companies like Funk and Meetinghouse.

tracey.marshall · ‎01-12-2005

Thanks for the info. I will check out these products.

Tracey

koksm · ‎08-12-2005

We tried both, go for the meetinghouse client. It rulez!