I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
Just list of RDS.log appears some activity ended with
NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
Please let attentions to Attachments and let me know
what could be a problem of my unsuccessness of use EAP-TLS.
configuration of interface which I use for testing:
description Test 802.1X klient - Filip
switchport access vlan 34
switchport mode access
switchport voice vlan 31
authentication host-mode multi-domain
authentication port-control auto
authentication violation protect
dot1x pae authenticator
dot1x timeout tx-period 10
How I see my problem looks harder, than I had expected.
How could I obrtain a service for this kind of problem? Is there any possibility to contact Cisco Support directly?
Just noticed your post...
In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
Microsoft has done some changes in SP 3 for wired 802.1x
Changes to the 802.1X-based wired network connection settings in Windows XP
Service Pack 3
In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
* The WZCSVC service
* The Wired AutoConfig service (DOT3SVC)
As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
If you are an end-user who has already installed Windows XP SP3, follow
1. Click Start, and then click Run.
2. In the Open box, type services.msc, and then press ENTER.
3. Locate the Wired AutoConfig service, right-click it, and then click
Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
CERTIFICATE REQUIREMENT IN EAP-TLS:
MICROSOFT XP CLIENT CONFIGURATION:
As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
Also, let me know the full ACS version and platform.
Do rate helpful posts-
Thank you for response. I check everything in configuration as you recomanded.
I need to use only EAP-TLS, that is why EAP_TYPE not configured appears when I turn it on Windows XP machine.
At these times I will try to use Windows XP SP2. I have had only SP3 at these times.
I found may be a critical error:
AUTH 27/10/2009 16:22:45 I 2849 5576 0x0 Start UDB_UPDATE_LOCALHOST, client 27 (127.0.0.1)
AUTH 27/10/2009 16:22:45 I 5591 5576 0x0 Done UDB_UPDATE_LOCALHOST, client 27, status UDB_HOST_DB_FAILURE
That could be a reason why machine authentication do not work?
I use CiscoSecure ACS Release 4.2(0) Build 124 Patch 12 running on Windows 2008 Server with DC and CA on the same machine.
I try switch to PEAP with MSCHAPv2 auth and its work fine, and machine was authenticated and dynamic user was created.
I check certificates by docs you provide me.
When I was switch to PEAP with EAP-TLS certificate authorisation, everty fall down to unauthorised.
I attach a auth.log file, and please look at, may be you will see an error.
I think problem is somewhere around
AUTH 29/10/2009 14:21:06 I 1165 3992 0x25 [AuthenProcessResponse]:[eapAuthenticate] returned -2046
AUTH 29/10/2009 14:21:06 I 1212 3992 0x25 EAP: <-- EAP Request/EAP-Type=PEAP (identifier=73, seq_id=10)
AUTH 29/10/2009 14:21:06 I 5591 3992 0x25 Done UDB_SEND_RESPONSE, client 50, status UDB_CHALLENGE_REQUIRED
everytime the authentization stops here (challenge required).
Problem is resolved. PLEASE RATE THIS ITEM, AND SIGN IT AS RESOLVED.
After many days of waiting for help and working on solution.
Platform Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(52)SE
Solution was at set of jumbo frames to smaller size (was 9000):
System MTU size is 1500 bytes
System Jumbo MTU size is 1518 bytes
Routing MTU size is 1500 bytes.