Core issue
In this issue, 802.1x authentication for Microsoft Windows XP PC fails with the CS User Unknown error in the Failed Attempt logs on Cisco Secure Access Control Server (ACS).
This issue usually occurs if the machine only sends Machine authentication requests and No User authentication requests.
Resolution
In order to resolve this issue, ensure that the client sends Machine authentication requests and User authentication requests persistently.
Make this registry fix on the Windows XP supplicant PC in order to resolve this issue:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"SupplicantMode"=dword:00000003 "AuthMode"=dword:00000001
This is information about registry changes:
SupplicantMode:
0 : Disable IEEE 802.1X authentication operation.
1 : Prevent transmission of EAPOL start and EAPOL log off packets under
all scenarios.
2 : Include learning to determine when to initiate the transmission of EAPOL packets. A Windows XP Service Pack 2 (SP2)-based computer will only send an EAPOL start frame if the
computer receives an EAP request identity frame and if no internal process is currently
ongoing.
3 : Compliant with IEEE 802.1X authentication specification.
AuthMode:
0 : Use the default Windows XP authentication
1 : Always perform user authentication when a user logs on
2 : Perform computer authentication only